[fix] handle SAS secure desktop transitions and restore desktop capture promptly, refs #77

[feat] improve Windows secure desktop capture and input handling, refs #77
[feat] improve secure desktop capture by streaming latest frames through shared memory
2026-06-30 02:52:05 +08:00 · 2026-05-26 04:38:07 +08:00 · 2026-05-26 03:26:37 +08:00 · 2026-05-26 01:28:12 +08:00
13 changed files with 1813 additions and 166 deletions
@@ -82,15 +82,22 @@ HICON LoadTrayIcon() {

 struct WindowsServiceInteractiveStatus {
  bool available = false;
+  bool sas_secure_desktop_grace_active = false;
  unsigned int error_code = 0;
  std::string interactive_stage;
  std::string error;
 };

 constexpr uint32_t kWindowsServiceStatusIntervalMs = 1000;
-constexpr DWORD kWindowsServiceQueryTimeoutMs = 100;
+constexpr uint32_t kWindowsServiceSasSecureDesktopGraceMs = 2000;
+constexpr DWORD kWindowsServiceQueryTimeoutMs = 500;
 constexpr DWORD kWindowsServiceSasTimeoutMs = 500;

+bool IsTransientWindowsServiceStatusError(const std::string& error) {
+  return error == "pipe_unavailable" || error == "pipe_connect_failed" ||
+         error == "pipe_read_failed";
+}
+
 RemoteAction BuildWindowsServiceStatusAction(
    const WindowsServiceInteractiveStatus& status) {
  RemoteAction action{};
@@ -125,6 +132,8 @@ bool QueryWindowsServiceInteractiveStatus(
  }

  status->interactive_stage = json.value("interactive_stage", std::string());
+  status->sas_secure_desktop_grace_active =
+      json.value("sas_secure_desktop_grace_active", false);

  if (ShouldNormalizeUnlockToUserDesktop(
          json.value("interactive_lock_screen_visible", false),
@@ -1923,6 +1932,12 @@ void Render::HandleWindowsServiceIntegration() {
      LOG_WARN("Remote SAS request failed: {}", response);
    } else {
      LOG_INFO("Remote SAS request forwarded to local Windows service");
+      optimistic_windows_secure_desktop_until_tick_ =
+          static_cast<uint32_t>(SDL_GetTicks()) +
+          kWindowsServiceSasSecureDesktopGraceMs;
+      local_service_status_received_ = true;
+      local_service_available_ = true;
+      local_interactive_stage_ = "secure-desktop";
    }
    last_windows_service_status_tick_ = 0;
    force_broadcast = true;
@@ -1938,9 +1953,32 @@ void Render::HandleWindowsServiceIntegration() {

  WindowsServiceInteractiveStatus status;
  const bool status_ok = QueryWindowsServiceInteractiveStatus(&status);
-  local_service_status_received_ = status_ok;
+  WindowsServiceInteractiveStatus broadcast_status = status;
+  const bool previous_secure_desktop_interaction =
+      IsSecureDesktopInteractionRequired(local_interactive_stage_);
+  const bool optimistic_secure_desktop_active =
+      optimistic_windows_secure_desktop_until_tick_ != 0 &&
+      static_cast<int32_t>(optimistic_windows_secure_desktop_until_tick_ -
+                           now) > 0;
+  const bool keep_optimistic_secure_desktop =
+      status_ok && status.available && optimistic_secure_desktop_active &&
+      status.sas_secure_desktop_grace_active &&
+      status.interactive_stage == "user-desktop";
+  local_service_status_received_ =
+      status_ok || previous_secure_desktop_interaction;
  local_service_available_ = status.available;
-  local_interactive_stage_ = status.available ? status.interactive_stage : "";
+  if (status.available) {
+    if (keep_optimistic_secure_desktop) {
+      local_interactive_stage_ = "secure-desktop";
+      broadcast_status.interactive_stage = local_interactive_stage_;
+    } else {
+      local_interactive_stage_ = status.interactive_stage;
+      optimistic_windows_secure_desktop_until_tick_ = 0;
+    }
+  } else if (!previous_secure_desktop_interaction) {
+    local_interactive_stage_.clear();
+    optimistic_windows_secure_desktop_until_tick_ = 0;
+  }

  if (status_ok) {
    const bool availability_changed =
@@ -1953,6 +1991,11 @@ void Render::HandleWindowsServiceIntegration() {
      if (status.available) {
        LOG_INFO(
            "Local Windows service available for secure desktop integration");
+      } else if (IsTransientWindowsServiceStatusError(status.error)) {
+        LOG_INFO(
+            "Local Windows service temporarily unavailable, keeping last "
+            "secure desktop state: error={}, code={}",
+            status.error, status.error_code);
      } else {
        LOG_WARN(
            "Local Windows service unavailable, secure desktop integration "
@@ -1973,7 +2016,7 @@ void Render::HandleWindowsServiceIntegration() {
    last_logged_service_error_code = 0;
  }

-  RemoteAction remote_action = BuildWindowsServiceStatusAction(status);
+  RemoteAction remote_action = BuildWindowsServiceStatusAction(broadcast_status);
  std::string msg = remote_action.to_json();
  int ret = SendReliableDataFrame(peer_, msg.data(), msg.size(),
                                  control_data_label_.c_str());
@@ -1992,6 +2035,7 @@ void Render::ResetLocalWindowsServiceState(bool clear_pending_sas) {
  local_service_status_received_ = false;
  local_service_available_ = false;
  local_interactive_stage_.clear();
+  optimistic_windows_secure_desktop_until_tick_ = 0;
 }
 #endif

@@ -547,6 +547,7 @@ class Render {
  std::string local_interactive_stage_;
  uint32_t last_local_secure_input_block_log_tick_ = 0;
  uint32_t last_windows_service_status_tick_ = 0;
+  uint32_t optimistic_windows_secure_desktop_until_tick_ = 0;
 #endif

  // stream window render
@@ -317,6 +317,22 @@ void LogSecureDesktopInputBlocked(uint32_t* last_tick, const char* side,
      "cannot drive the Windows password UI",
      side != nullptr ? side : "unknown", stage != nullptr ? stage : "");
 }
+
+bool IsTransientSecureDesktopInputFailure(const nlohmann::json& response,
+                                          const RemoteAction& action) {
+  if (!response.is_object()) {
+    return false;
+  }
+  if (response.value("error", std::string()) != "send_input_failed") {
+    return false;
+  }
+  if (response.value("code", 0u) != ERROR_ACCESS_DENIED) {
+    return false;
+  }
+
+  return action.type == ControlType::keyboard &&
+         action.k.flag == KeyFlag::key_up;
+}
 #endif

 }  // namespace
@@ -492,7 +508,7 @@ int Render::ProcessKeyboardEvent(const SDL_Event& event) {

 int Render::ProcessMouseEvent(const SDL_Event& event) {
  controlled_remote_id_ = "";
-  RemoteAction remote_action;
+  RemoteAction remote_action{};
  float cursor_x = last_mouse_event.motion.x;
  float cursor_y = last_mouse_event.motion.y;

@@ -1104,7 +1120,6 @@ void Render::OnReceiveDataBufferCb(const char* data, size_t size,
    // remote
 #if _WIN32
    if (render->local_service_status_received_ &&
-        render->local_service_available_ &&
        IsSecureDesktopInteractionRequired(render->local_interactive_stage_)) {
      if (remote_action.type == ControlType::mouse) {
        int absolute_x = 0;
@@ -1145,6 +1160,14 @@ void Render::OnReceiveDataBufferCb(const char* data, size_t size,
            remote_action.k.extended, 1000);
        auto json = nlohmann::json::parse(response, nullptr, false);
        if (json.is_discarded() || !json.value("ok", false)) {
+          if (!json.is_discarded() &&
+              IsTransientSecureDesktopInputFailure(json, remote_action)) {
+            LOG_INFO(
+                "Secure desktop keyboard injection transient failure, "
+                "key_code={}, is_down={}, response={}",
+                key_code, is_down, response);
+            return;
+          }
          LogSecureDesktopInputBlocked(
              &render->last_local_secure_input_block_log_tick_, "local",
              render->local_interactive_stage_.c_str());
@@ -29,11 +29,13 @@ namespace {
 using Json = nlohmann::json;

 constexpr DWORD kSecureDesktopStatusIntervalMs = 250;
-constexpr DWORD kSecureDesktopStatusPipeTimeoutMs = 150;
+constexpr DWORD kSecureDesktopStatusPipeTimeoutMs = 500;
 constexpr DWORD kSecureDesktopHelperPipeTimeoutMs = 120;
 constexpr DWORD kSecureDesktopTransientErrorGraceMs = 1500;
 constexpr DWORD kSecureDesktopTransientErrorLogIntervalMs = 5000;
-constexpr int kSecureDesktopCaptureMinIntervalMs = 100;
+constexpr int kSecureDesktopCaptureMinFps = 30;
+constexpr int kSecureDesktopCaptureMaxIntervalMs =
+    1000 / kSecureDesktopCaptureMinFps;

 struct SecureDesktopServiceStatus {
  bool service_available = false;
@@ -129,10 +131,28 @@ class WgcPluginCapturer final : public ScreenCapturer {
 };

 std::string BuildSecureCaptureCommand(int left, int top, int width, int height,
-                                      bool show_cursor) {
+                                      bool show_cursor,
+                                      const std::string& stage) {
  std::ostringstream stream;
  stream << kCrossDeskSecureInputCaptureCommandPrefix << left << ":" << top
         << ":" << width << ":" << height << ":" << (show_cursor ? 1 : 0);
+  if (!stage.empty()) {
+    stream << ":" << stage;
+  }
+  return stream.str();
+}
+
+std::string BuildSecureCaptureStartCommand(int left, int top, int width,
+                                           int height, bool show_cursor,
+                                           int fps,
+                                           const std::string& stage) {
+  std::ostringstream stream;
+  stream << kCrossDeskSecureInputCaptureStartCommandPrefix << left << ":" << top
+         << ":" << width << ":" << height << ":" << (show_cursor ? 1 : 0)
+         << ":" << fps;
+  if (!stage.empty()) {
+    stream << ":" << stage;
+  }
  return stream.str();
 }

@@ -148,6 +168,11 @@ bool IsTransientSecureDesktopFrameError(const std::string& error_message) {
         error_message.find("\"error\":\"bitblt_failed\"") != std::string::npos;
 }

+bool IsTransientWindowsServiceStatusError(const std::string& error) {
+  return error == "pipe_unavailable" || error == "pipe_connect_failed" ||
+         error == "pipe_read_failed";
+}
+
 bool ReadPipeMessage(HANDLE pipe, std::vector<uint8_t>* response_out,
                     DWORD* error_code_out = nullptr) {
  if (response_out == nullptr) {
@@ -274,17 +299,15 @@ bool QuerySecureDesktopServiceStatus(SecureDesktopServiceStatus* status) {
  return true;
 }

-bool QuerySecureDesktopHelperFrame(DWORD session_id, int left, int top,
-                                   int width, int height, bool show_cursor,
-                                   std::vector<uint8_t>* nv12_frame_out,
-                                   int* captured_width_out,
-                                   int* captured_height_out,
-                                   std::string* error_out) {
-  if (nv12_frame_out == nullptr || captured_width_out == nullptr ||
-      captured_height_out == nullptr) {
+bool QuerySecureDesktopHelperCommand(DWORD session_id,
+                                     const std::string& command,
+                                     std::vector<uint8_t>* response_out,
+                                     std::string* error_out) {
+  if (response_out == nullptr) {
    return false;
  }

+  response_out->clear();
  const std::wstring pipe_name =
      GetCrossDeskSecureInputHelperPipeName(session_id);
  if (!WaitNamedPipeW(pipe_name.c_str(), kSecureDesktopHelperPipeTimeoutMs)) {
@@ -306,8 +329,6 @@ bool QuerySecureDesktopHelperFrame(DWORD session_id, int left, int top,
  DWORD pipe_mode = PIPE_READMODE_MESSAGE;
  SetNamedPipeHandleState(pipe, &pipe_mode, nullptr, nullptr);

-  const std::string command =
-      BuildSecureCaptureCommand(left, top, width, height, show_cursor);
  DWORD bytes_written = 0;
  if (!WriteFile(pipe, command.data(), static_cast<DWORD>(command.size()),
                 &bytes_written, nullptr)) {
@@ -319,9 +340,8 @@ bool QuerySecureDesktopHelperFrame(DWORD session_id, int left, int top,
    return false;
  }

-  std::vector<uint8_t> response;
  DWORD read_error = 0;
-  const bool read_ok = ReadPipeMessage(pipe, &response, &read_error);
+  const bool read_ok = ReadPipeMessage(pipe, response_out, &read_error);
  CloseHandle(pipe);
  if (!read_ok) {
    if (error_out != nullptr) {
@@ -330,6 +350,29 @@ bool QuerySecureDesktopHelperFrame(DWORD session_id, int left, int top,
    return false;
  }

+  return true;
+}
+
+bool QuerySecureDesktopHelperFrame(DWORD session_id, int left, int top,
+                                   int width, int height, bool show_cursor,
+                                   const std::string& stage,
+                                   std::vector<uint8_t>* nv12_frame_out,
+                                   int* captured_width_out,
+                                   int* captured_height_out,
+                                   std::string* error_out) {
+  if (nv12_frame_out == nullptr || captured_width_out == nullptr ||
+      captured_height_out == nullptr) {
+    return false;
+  }
+
+  const std::string command =
+      BuildSecureCaptureCommand(left, top, width, height, show_cursor, stage);
+  std::vector<uint8_t> response;
+  if (!QuerySecureDesktopHelperCommand(session_id, command, &response,
+                                       error_out)) {
+    return false;
+  }
+
  return ParseSecureDesktopFrameResponse(response, nv12_frame_out,
                                         captured_width_out,
                                         captured_height_out, error_out);
@@ -496,6 +539,7 @@ int ScreenCapturerWin::Stop() {
    ret = impl_->Stop();
  }
  StopSecureCaptureThread();
+  StopSecureDesktopSharedCapture(secure_shared_session_id_);
  return ret;
 }

@@ -616,10 +660,239 @@ bool ScreenCapturerWin::GetCurrentCaptureRegion(int* left, int* top, int* width,
  return true;
 }

+void ScreenCapturerWin::CloseSecureDesktopSharedFrame() {
+  if (secure_frame_view_ != nullptr) {
+    UnmapViewOfFile(secure_frame_view_);
+    secure_frame_view_ = nullptr;
+  }
+  if (secure_frame_ready_event_ != nullptr) {
+    CloseHandle(secure_frame_ready_event_);
+    secure_frame_ready_event_ = nullptr;
+  }
+  if (secure_frame_mapping_ != nullptr) {
+    CloseHandle(secure_frame_mapping_);
+    secure_frame_mapping_ = nullptr;
+  }
+  secure_frame_view_size_ = 0;
+}
+
+void ScreenCapturerWin::StopSecureDesktopSharedCapture(DWORD session_id) {
+  DWORD target_session_id = session_id;
+  if (target_session_id == 0xFFFFFFFF) {
+    target_session_id = secure_shared_session_id_;
+  }
+
+  if (secure_shared_capture_started_ &&
+      target_session_id != 0xFFFFFFFF) {
+    std::vector<uint8_t> response;
+    std::string error_message;
+    QuerySecureDesktopHelperCommand(
+        target_session_id, kCrossDeskSecureInputCaptureStopCommand, &response,
+        &error_message);
+  }
+
+  CloseSecureDesktopSharedFrame();
+  secure_shared_capture_started_ = false;
+  secure_shared_session_id_ = 0xFFFFFFFF;
+  secure_shared_left_ = 0;
+  secure_shared_top_ = 0;
+  secure_shared_width_ = 0;
+  secure_shared_height_ = 0;
+  secure_shared_fps_ = 0;
+  secure_shared_show_cursor_ = true;
+  secure_shared_stage_.clear();
+}
+
+bool ScreenCapturerWin::OpenSecureDesktopSharedFrame(DWORD session_id,
+                                                     size_t min_size,
+                                                     std::string* error_out) {
+  if (secure_frame_view_ != nullptr &&
+      secure_shared_session_id_ == session_id &&
+      secure_frame_view_size_ >= min_size) {
+    return true;
+  }
+
+  CloseSecureDesktopSharedFrame();
+
+  const std::wstring mapping_name =
+      GetCrossDeskSecureDesktopFrameMappingName(session_id);
+  HANDLE frame_mapping =
+      OpenFileMappingW(FILE_MAP_READ, FALSE, mapping_name.c_str());
+  if (frame_mapping == nullptr) {
+    if (error_out != nullptr) {
+      *error_out = "open_frame_mapping_failed:" +
+                   std::to_string(GetLastError());
+    }
+    return false;
+  }
+
+  auto* frame_view =
+      static_cast<uint8_t*>(MapViewOfFile(frame_mapping, FILE_MAP_READ, 0, 0, 0));
+  if (frame_view == nullptr) {
+    const DWORD error = GetLastError();
+    CloseHandle(frame_mapping);
+    if (error_out != nullptr) {
+      *error_out = "map_frame_view_failed:" + std::to_string(error);
+    }
+    return false;
+  }
+
+  const std::wstring event_name =
+      GetCrossDeskSecureDesktopFrameReadyEventName(session_id);
+  HANDLE frame_ready_event =
+      OpenEventW(SYNCHRONIZE, FALSE, event_name.c_str());
+  if (frame_ready_event == nullptr) {
+    const DWORD error = GetLastError();
+    UnmapViewOfFile(frame_view);
+    CloseHandle(frame_mapping);
+    if (error_out != nullptr) {
+      *error_out = "open_frame_event_failed:" + std::to_string(error);
+    }
+    return false;
+  }
+
+  secure_frame_mapping_ = frame_mapping;
+  secure_frame_ready_event_ = frame_ready_event;
+  secure_frame_view_ = frame_view;
+  secure_frame_view_size_ = min_size;
+  secure_shared_session_id_ = session_id;
+  return true;
+}
+
+bool ScreenCapturerWin::ReadSecureDesktopSharedFrame(
+    DWORD wait_ms, std::vector<uint8_t>* nv12_frame_out, int* width_out,
+    int* height_out, std::string* error_out) {
+  if (nv12_frame_out == nullptr || width_out == nullptr ||
+      height_out == nullptr || secure_frame_view_ == nullptr ||
+      secure_frame_ready_event_ == nullptr) {
+    return false;
+  }
+
+  const DWORD wait_result = WaitForSingleObject(secure_frame_ready_event_,
+                                                wait_ms);
+  if (wait_result == WAIT_TIMEOUT) {
+    if (error_out != nullptr) {
+      *error_out = "frame_wait_timeout";
+    }
+    return false;
+  }
+  if (wait_result != WAIT_OBJECT_0) {
+    if (error_out != nullptr) {
+      *error_out = "frame_wait_failed:" + std::to_string(GetLastError());
+    }
+    return false;
+  }
+
+  auto* header =
+      reinterpret_cast<CrossDeskSecureDesktopSharedFrameHeader*>(
+          secure_frame_view_);
+  if (header->magic != kCrossDeskSecureDesktopFrameMagic ||
+      header->version != kCrossDeskSecureDesktopFrameVersion) {
+    if (error_out != nullptr) {
+      *error_out = "invalid_shared_frame_header";
+    }
+    return false;
+  }
+  if (header->writing != 0) {
+    if (error_out != nullptr) {
+      *error_out = "shared_frame_write_in_progress";
+    }
+    return false;
+  }
+
+  const uint32_t sequence = header->sequence;
+  const uint32_t payload_size = header->payload_size;
+  const uint32_t buffer_size = header->buffer_size;
+  if (payload_size == 0 || payload_size > buffer_size ||
+      sizeof(*header) + static_cast<size_t>(payload_size) >
+          secure_frame_view_size_) {
+    if (error_out != nullptr) {
+      *error_out = "invalid_shared_frame_size";
+    }
+    return false;
+  }
+
+  nv12_frame_out->resize(payload_size);
+  std::memcpy(nv12_frame_out->data(), secure_frame_view_ + sizeof(*header),
+              payload_size);
+  MemoryBarrier();
+  if (header->writing != 0 || header->sequence != sequence) {
+    if (error_out != nullptr) {
+      *error_out = "shared_frame_changed_during_read";
+    }
+    return false;
+  }
+
+  *width_out = static_cast<int>(header->width);
+  *height_out = static_cast<int>(header->height);
+  return true;
+}
+
+bool ScreenCapturerWin::StartSecureDesktopSharedCapture(
+    DWORD session_id, int left, int top, int width, int height,
+    const std::string& stage, bool show_cursor, int fps,
+    std::string* error_out) {
+  const size_t payload_size = static_cast<size_t>(width) * height * 3 / 2;
+  const size_t mapping_size =
+      sizeof(CrossDeskSecureDesktopSharedFrameHeader) + payload_size;
+  if (payload_size == 0) {
+    if (error_out != nullptr) {
+      *error_out = "invalid_capture_size";
+    }
+    return false;
+  }
+
+  if (secure_shared_capture_started_ &&
+      secure_shared_session_id_ == session_id &&
+      secure_shared_left_ == left && secure_shared_top_ == top &&
+      secure_shared_width_ == width && secure_shared_height_ == height &&
+      secure_shared_stage_ == stage &&
+      secure_shared_show_cursor_ == show_cursor && secure_shared_fps_ == fps &&
+      OpenSecureDesktopSharedFrame(session_id, mapping_size, error_out)) {
+    return true;
+  }
+
+  StopSecureDesktopSharedCapture(secure_shared_session_id_);
+
+  const std::string command =
+      BuildSecureCaptureStartCommand(left, top, width, height, show_cursor, fps,
+                                     stage);
+  std::vector<uint8_t> response;
+  if (!QuerySecureDesktopHelperCommand(session_id, command, &response,
+                                       error_out)) {
+    return false;
+  }
+
+  Json json = Json::parse(response.begin(), response.end(), nullptr, false);
+  if (json.is_discarded() || !json.value("ok", false)) {
+    if (error_out != nullptr) {
+      *error_out = ExtractPipeTextResponse(response);
+    }
+    return false;
+  }
+
+  secure_shared_capture_started_ = true;
+  secure_shared_session_id_ = session_id;
+  secure_shared_left_ = left;
+  secure_shared_top_ = top;
+  secure_shared_width_ = width;
+  secure_shared_height_ = height;
+  secure_shared_show_cursor_ = show_cursor;
+  secure_shared_fps_ = fps;
+  secure_shared_stage_ = stage;
+
+  if (!OpenSecureDesktopSharedFrame(session_id, mapping_size, error_out)) {
+    StopSecureDesktopSharedCapture(session_id);
+    return false;
+  }
+
+  return true;
+}
+
 void ScreenCapturerWin::SecureDesktopCaptureLoop() {
  const int frame_interval_ms =
-      fps_ > 0 ? (std::max)(kSecureDesktopCaptureMinIntervalMs, 1000 / fps_)
-               : kSecureDesktopCaptureMinIntervalMs;
+      fps_ > 0 ? (std::min)(kSecureDesktopCaptureMaxIntervalMs, 1000 / fps_)
+               : kSecureDesktopCaptureMaxIntervalMs;
  ULONGLONG last_status_tick = 0;
  ULONGLONG last_error_tick = 0;
  bool last_capture_active = false;
@@ -653,6 +926,11 @@ void ScreenCapturerWin::SecureDesktopCaptureLoop() {
                "Windows capturer secure desktop service available, polling "
                "session_id={}",
                status.active_session_id);
+          } else if (IsTransientWindowsServiceStatusError(status.error)) {
+            LOG_INFO(
+                "Windows capturer secure desktop service temporarily unavailable: "
+                "error={}, code={}",
+                status.error, status.error_code);
          } else {
            LOG_WARN(
                "Windows capturer secure desktop service unavailable: "
@@ -686,12 +964,14 @@ void ScreenCapturerWin::SecureDesktopCaptureLoop() {
    }

    if (!status.capture_active || status.active_session_id == 0xFFFFFFFF) {
+      StopSecureDesktopSharedCapture(secure_shared_session_id_);
      std::this_thread::sleep_for(
          std::chrono::milliseconds(status.service_available ? 50 : 200));
      continue;
    }

    if (!status.helper_running) {
+      StopSecureDesktopSharedCapture(secure_shared_session_id_);
      std::this_thread::sleep_for(std::chrono::milliseconds(30));
      continue;
    }
@@ -702,6 +982,7 @@ void ScreenCapturerWin::SecureDesktopCaptureLoop() {
    int height = 0;
    std::string display_name;
    if (!GetCurrentCaptureRegion(&left, &top, &width, &height, &display_name)) {
+      StopSecureDesktopSharedCapture(secure_shared_session_id_);
      std::this_thread::sleep_for(std::chrono::milliseconds(100));
      continue;
    }
@@ -709,15 +990,40 @@ void ScreenCapturerWin::SecureDesktopCaptureLoop() {
    int captured_width = 0;
    int captured_height = 0;
    std::string error_message;
-    if (QuerySecureDesktopHelperFrame(
-            status.active_session_id, left, top, width, height,
-            show_cursor_.load(std::memory_order_relaxed), &secure_frame,
+    bool frame_delivered = false;
+    const bool show_cursor = show_cursor_.load(std::memory_order_relaxed);
+    const int shared_fps =
+        fps_ > 0 ? (std::max)(kSecureDesktopCaptureMinFps, fps_)
+                 : kSecureDesktopCaptureMinFps;
+
+    if (StartSecureDesktopSharedCapture(status.active_session_id, left, top,
+                                        width, height,
+                                        status.interactive_stage, show_cursor,
+                                        shared_fps, &error_message) &&
+        ReadSecureDesktopSharedFrame(
+            static_cast<DWORD>(frame_interval_ms + 20), &secure_frame,
            &captured_width, &captured_height, &error_message)) {
      if (cb_orig_ && !secure_frame.empty()) {
        cb_orig_(secure_frame.data(), static_cast<int>(secure_frame.size()),
                 captured_width, captured_height, display_name.c_str());
      }
-    } else {
+      frame_delivered = true;
+    }
+
+    if (!frame_delivered &&
+        QuerySecureDesktopHelperFrame(status.active_session_id, left, top,
+                                      width, height, show_cursor,
+                                      status.interactive_stage,
+                                      &secure_frame, &captured_width,
+                                      &captured_height, &error_message)) {
+      if (cb_orig_ && !secure_frame.empty()) {
+        cb_orig_(secure_frame.data(), static_cast<int>(secure_frame.size()),
+                 captured_width, captured_height, display_name.c_str());
+      }
+      frame_delivered = true;
+    }
+
+    if (!frame_delivered) {
      const bool transient_error =
          IsTransientSecureDesktopFrameError(error_message);
      const bool in_grace_period = capture_stage_started_tick != 0 &&
@@ -731,10 +1037,19 @@ void ScreenCapturerWin::SecureDesktopCaptureLoop() {
        continue;
      }
      if (now - last_error_tick >= log_interval) {
-        LOG_WARN(
-            "Windows capturer secure desktop frame query failed, stage='{}', "
-            "session_id={}, error={}",
-            status.interactive_stage, status.active_session_id, error_message);
+        if (transient_error) {
+          LOG_INFO(
+              "Windows capturer secure desktop transient frame query failed, "
+              "stage='{}', session_id={}, error={}",
+              status.interactive_stage, status.active_session_id,
+              error_message);
+        } else {
+          LOG_WARN(
+              "Windows capturer secure desktop frame query failed, stage='{}', "
+              "session_id={}, error={}",
+              status.interactive_stage, status.active_session_id,
+              error_message);
+        }
        last_error_tick = now;
      }
    }
@@ -742,7 +1057,8 @@ void ScreenCapturerWin::SecureDesktopCaptureLoop() {
    std::this_thread::sleep_for(std::chrono::milliseconds(frame_interval_ms));
  }

+  StopSecureDesktopSharedCapture(secure_shared_session_id_);
  secure_desktop_capture_active_.store(false, std::memory_order_relaxed);
 }

-}  // namespace crossdesk
+}  // namespace crossdesk
@@ -10,6 +10,7 @@
 #include <Windows.h>

 #include <atomic>
+#include <cstdint>
 #include <memory>
 #include <mutex>
 #include <thread>
@@ -59,6 +60,19 @@ class ScreenCapturerWin : public ScreenCapturer {
  int initial_monitor_index_ = 0;
  std::atomic<bool> secure_desktop_capture_active_{false};
  std::thread secure_capture_thread_;
+  HANDLE secure_frame_mapping_ = nullptr;
+  HANDLE secure_frame_ready_event_ = nullptr;
+  uint8_t* secure_frame_view_ = nullptr;
+  size_t secure_frame_view_size_ = 0;
+  DWORD secure_shared_session_id_ = 0xFFFFFFFF;
+  int secure_shared_left_ = 0;
+  int secure_shared_top_ = 0;
+  int secure_shared_width_ = 0;
+  int secure_shared_height_ = 0;
+  int secure_shared_fps_ = 0;
+  bool secure_shared_show_cursor_ = true;
+  std::string secure_shared_stage_;
+  bool secure_shared_capture_started_ = false;

  void BuildCanonicalFromImpl();
  void RebuildAliasesFromImpl();
@@ -66,6 +80,19 @@ class ScreenCapturerWin : public ScreenCapturer {
  void SecureDesktopCaptureLoop();
  bool GetCurrentCaptureRegion(int* left, int* top, int* width, int* height,
                               std::string* display_name);
+  bool StartSecureDesktopSharedCapture(DWORD session_id, int left, int top,
+                                       int width, int height,
+                                       const std::string& stage,
+                                       bool show_cursor, int fps,
+                                       std::string* error_out);
+  void StopSecureDesktopSharedCapture(DWORD session_id);
+  bool OpenSecureDesktopSharedFrame(DWORD session_id, size_t min_size,
+                                    std::string* error_out);
+  bool ReadSecureDesktopSharedFrame(DWORD wait_ms,
+                                    std::vector<uint8_t>* nv12_frame_out,
+                                    int* width_out, int* height_out,
+                                    std::string* error_out);
+  void CloseSecureDesktopSharedFrame();
 };
 }  // namespace crossdesk
-#endif
+#endif
@@ -13,7 +13,8 @@ namespace crossdesk {

 inline bool IsSecureDesktopInteractionRequired(
    const std::string& interactive_stage) {
-  return interactive_stage == "credential-ui" ||
+  return interactive_stage == "lock-screen" ||
+         interactive_stage == "credential-ui" ||
         interactive_stage == "secure-desktop";
 }

@@ -38,4 +39,4 @@ inline bool ShouldNormalizeUnlockToUserDesktop(

 }  // namespace crossdesk

-#endif
+#endif
@@ -31,6 +31,7 @@ constexpr char kSecureDesktopMouseIpcCommandPrefix[] = "secure-input-mouse:";
 constexpr wchar_t kCrossDeskClientProcessName[] = L"crossdesk.exe";
 constexpr DWORD kCrossDeskClientMonitorIntervalMs = 1000;
 constexpr ULONGLONG kCrossDeskClientMonitorStartupGraceMs = 5000;
+constexpr ULONGLONG kSasSecureDesktopGraceMs = 15000;

 using SendSasFunction = VOID(WINAPI*)(BOOL);

@@ -262,8 +263,8 @@ bool GrantCrossDeskServiceStartAccessToAuthenticatedUsers(SC_HANDLE service) {
 std::string QueryNamedPipeMessage(const std::wstring& pipe_name,
                                  const std::string& command,
                                  DWORD timeout_ms) {
-  constexpr int kPipeConnectRetryCount = 3;
  constexpr DWORD kPipeConnectRetryDelayMs = 15;
+  const ULONGLONG deadline_tick = GetTickCount64() + timeout_ms;

  auto is_transient_pipe_error = [](DWORD error) {
    return error == ERROR_FILE_NOT_FOUND || error == ERROR_PIPE_BUSY ||
@@ -271,12 +272,23 @@ std::string QueryNamedPipeMessage(const std::wstring& pipe_name,
  };

  HANDLE pipe = INVALID_HANDLE_VALUE;
-  for (int attempt = 0; attempt < kPipeConnectRetryCount; ++attempt) {
-    if (!WaitNamedPipeW(pipe_name.c_str(), timeout_ms)) {
+  DWORD last_error = ERROR_SEM_TIMEOUT;
+  while (GetTickCount64() <= deadline_tick) {
+    const ULONGLONG now = GetTickCount64();
+    const DWORD wait_timeout =
+        deadline_tick > now
+            ? static_cast<DWORD>((std::min)(
+                  deadline_tick - now, static_cast<ULONGLONG>(MAXDWORD)))
+            : 0;
+
+    if (!WaitNamedPipeW(pipe_name.c_str(), wait_timeout)) {
      const DWORD error = GetLastError();
-      if (attempt + 1 < kPipeConnectRetryCount &&
-          is_transient_pipe_error(error)) {
-        Sleep(kPipeConnectRetryDelayMs);
+      last_error = error;
+      const ULONGLONG retry_tick = GetTickCount64();
+      if (is_transient_pipe_error(error) && retry_tick < deadline_tick) {
+        Sleep(static_cast<DWORD>((std::min)(
+            static_cast<ULONGLONG>(kPipeConnectRetryDelayMs),
+            deadline_tick - retry_tick)));
        continue;
      }
      return BuildErrorJson("pipe_unavailable", error);
@@ -289,14 +301,21 @@ std::string QueryNamedPipeMessage(const std::wstring& pipe_name,
    }

    const DWORD error = GetLastError();
-    if (attempt + 1 < kPipeConnectRetryCount &&
-        is_transient_pipe_error(error)) {
-      Sleep(kPipeConnectRetryDelayMs);
+    last_error = error;
+    const ULONGLONG retry_tick = GetTickCount64();
+    if (is_transient_pipe_error(error) && retry_tick < deadline_tick) {
+      Sleep(static_cast<DWORD>((std::min)(
+          static_cast<ULONGLONG>(kPipeConnectRetryDelayMs),
+          deadline_tick - retry_tick)));
      continue;
    }
    return BuildErrorJson("pipe_connect_failed", error);
  }

+  if (pipe == INVALID_HANDLE_VALUE) {
+    return BuildErrorJson("pipe_unavailable", last_error);
+  }
+
  DWORD pipe_mode = PIPE_READMODE_MESSAGE;
  SetNamedPipeHandleState(pipe, &pipe_mode, nullptr, nullptr);

@@ -337,20 +356,27 @@ std::string BuildSecureDesktopMouseIpcCommand(int x, int y, int wheel,
  return stream.str();
 }

-std::string BuildSecureInputHelperKeyboardCommand(int key_code, bool is_down,
-                                                  uint32_t scan_code,
-                                                  bool extended) {
+std::string BuildSecureInputHelperKeyboardCommand(
+    int key_code, bool is_down, uint32_t scan_code, bool extended,
+    const std::string& interactive_stage) {
  std::ostringstream stream;
  stream << kCrossDeskSecureInputKeyboardCommandPrefix << key_code << ":"
         << (is_down ? 1 : 0) << ":" << scan_code << ":" << (extended ? 1 : 0);
+  if (!interactive_stage.empty()) {
+    stream << ":" << interactive_stage;
+  }
  return stream.str();
 }

-std::string BuildSecureInputHelperMouseCommand(int x, int y, int wheel,
-                                               int flag) {
+std::string BuildSecureInputHelperMouseCommand(
+    int x, int y, int wheel, int flag,
+    const std::string& interactive_stage) {
  std::ostringstream stream;
  stream << kCrossDeskSecureInputMouseCommandPrefix << x << ":" << y << ":"
         << wheel << ":" << flag;
+  if (!interactive_stage.empty()) {
+    stream << ":" << interactive_stage;
+  }
  return stream.str();
 }

@@ -565,6 +591,15 @@ const char* DetermineInteractiveStage(bool lock_app_visible,
  return "user-desktop";
 }

+std::wstring SecureInputHelperDesktopForStage(
+    const std::string& interactive_stage) {
+  if (interactive_stage == "credential-ui" ||
+      interactive_stage == "secure-desktop") {
+    return L"winsta0\\Winlogon";
+  }
+  return L"winsta0\\default";
+}
+
 bool GetSessionUserName(DWORD session_id, std::wstring* username_out) {
  if (username_out == nullptr) {
    return false;
@@ -993,12 +1028,14 @@ int CrossDeskServiceHost::InitializeRuntime() {
  session_helper_report_credential_ui_visible_ = false;
  session_helper_report_unlock_ui_visible_ = false;
  secure_input_helper_running_ = false;
+  sas_secure_desktop_seen_ = false;
  last_sas_error_code_ = 0;
  last_sas_success_ = false;
  session_helper_started_at_tick_ = 0;
  session_helper_report_state_age_ms_ = 0;
  session_helper_report_uptime_ms_ = 0;
  secure_input_helper_started_at_tick_ = 0;
+  sas_secure_desktop_until_tick_ = 0;
  session_helper_process_handle_ = nullptr;
  session_helper_stop_event_ = nullptr;
  secure_input_helper_process_handle_ = nullptr;
@@ -1010,6 +1047,7 @@ int CrossDeskServiceHost::InitializeRuntime() {
  session_helper_report_input_desktop_.clear();
  session_helper_report_interactive_stage_.clear();
  secure_input_helper_last_error_.clear();
+  secure_input_helper_interactive_stage_.clear();
  last_session_event_type_ = 0;
  last_session_event_session_id_ = active_session_id_;
  RefreshSessionState();
@@ -1285,7 +1323,8 @@ bool CrossDeskServiceHost::IsHelperReportingLockScreenLocked() const {
 }

 bool CrossDeskServiceHost::HasSecureInputUiLocked() const {
-  return prelogin_ || secure_desktop_active_ || logon_ui_visible_ ||
+  return IsSasSecureDesktopGraceActiveLocked() || prelogin_ ||
+         secure_desktop_active_ || logon_ui_visible_ ||
         session_helper_report_credential_ui_visible_ ||
         session_helper_report_secure_desktop_active_ ||
         session_helper_report_unlock_ui_visible_ ||
@@ -1293,6 +1332,30 @@ bool CrossDeskServiceHost::HasSecureInputUiLocked() const {
         session_helper_report_interactive_stage_ == "secure-desktop";
 }

+void CrossDeskServiceHost::UpdateSasSecureDesktopGraceLocked(
+    const std::string& observed_stage) {
+  if (sas_secure_desktop_until_tick_ == 0) {
+    sas_secure_desktop_seen_ = false;
+    return;
+  }
+
+  if (observed_stage == "credential-ui" || observed_stage == "secure-desktop" ||
+      observed_stage == "lock-screen") {
+    sas_secure_desktop_seen_ = true;
+    return;
+  }
+
+  if (sas_secure_desktop_seen_ && observed_stage == "user-desktop") {
+    sas_secure_desktop_until_tick_ = 0;
+    sas_secure_desktop_seen_ = false;
+  }
+}
+
+bool CrossDeskServiceHost::IsSasSecureDesktopGraceActiveLocked() const {
+  return last_sas_success_ && sas_secure_desktop_until_tick_ != 0 &&
+         GetTickCount64() < sas_secure_desktop_until_tick_;
+}
+
 bool CrossDeskServiceHost::ShouldKeepSecureInputHelperLocked(
    DWORD target_session_id) const {
  if (target_session_id == 0xFFFFFFFF) {
@@ -1303,6 +1366,23 @@ bool CrossDeskServiceHost::ShouldKeepSecureInputHelperLocked(
                                      IsHelperReportingLockScreenLocked());
 }

+std::string CrossDeskServiceHost::ResolveInteractiveStageLocked() const {
+  if (IsSasSecureDesktopGraceActiveLocked() &&
+      (session_helper_report_interactive_stage_.empty() ||
+       session_helper_report_interactive_stage_ == "user-desktop")) {
+    return "secure-desktop";
+  }
+
+  if (!session_helper_report_interactive_stage_.empty()) {
+    return session_helper_report_interactive_stage_;
+  }
+
+  return DetermineInteractiveStage(
+      IsHelperReportingLockScreenLocked(),
+      session_helper_report_credential_ui_visible_ || logon_ui_visible_,
+      session_helper_report_secure_desktop_active_ || secure_desktop_active_);
+}
+
 std::wstring CrossDeskServiceHost::GetSessionHelperPath() const {
  std::wstring current_executable = GetCurrentExecutablePathW();
  if (current_executable.empty()) {
@@ -1392,6 +1472,7 @@ void CrossDeskServiceHost::ReapSecureInputHelper() {
    secure_input_helper_process_id_ = 0;
    secure_input_helper_exit_code_ = exit_code;
    secure_input_helper_started_at_tick_ = 0;
+    secure_input_helper_interactive_stage_.clear();
  }

  if (process_handle != nullptr) {
@@ -1450,6 +1531,7 @@ void CrossDeskServiceHost::StopSecureInputHelper() {
    secure_input_helper_running_ = false;
    secure_input_helper_process_id_ = 0;
    secure_input_helper_started_at_tick_ = 0;
+    secure_input_helper_interactive_stage_.clear();
  }

  if (stop_event_handle != nullptr) {
@@ -1577,7 +1659,8 @@ bool CrossDeskServiceHost::LaunchSessionHelper(DWORD session_id) {
  return true;
 }

-bool CrossDeskServiceHost::LaunchSecureInputHelper(DWORD session_id) {
+bool CrossDeskServiceHost::LaunchSecureInputHelper(
+    DWORD session_id, const std::string& interactive_stage) {
  std::wstring helper_path = GetSecureInputHelperPath();
  if (helper_path.empty() || !std::filesystem::exists(helper_path)) {
    std::lock_guard<std::mutex> lock(state_mutex_);
@@ -1611,7 +1694,10 @@ bool CrossDeskServiceHost::LaunchSecureInputHelper(DWORD session_id) {

  STARTUPINFOW startup_info{};
  startup_info.cb = sizeof(startup_info);
-  startup_info.lpDesktop = const_cast<LPWSTR>(L"winsta0\\Winlogon");
+  std::wstring secure_input_helper_desktop =
+      SecureInputHelperDesktopForStage(interactive_stage);
+  startup_info.lpDesktop =
+      const_cast<LPWSTR>(secure_input_helper_desktop.c_str());
  PROCESS_INFORMATION process_info{};
  BOOL created = FALSE;

@@ -1660,10 +1746,14 @@ bool CrossDeskServiceHost::LaunchSecureInputHelper(DWORD session_id) {
    secure_input_helper_last_error_.clear();
    secure_input_helper_running_ = true;
    secure_input_helper_started_at_tick_ = GetTickCount64();
+    secure_input_helper_interactive_stage_ = interactive_stage;
  }

-  LOG_INFO("Secure input helper started: session_id={}, pid={}", session_id,
-           process_info.dwProcessId);
+  LOG_INFO(
+      "Secure input helper started: session_id={}, pid={}, stage='{}', "
+      "desktop='{}'",
+      session_id, process_info.dwProcessId, interactive_stage,
+      WideToUtf8(secure_input_helper_desktop));
  return true;
 }

@@ -1762,6 +1852,7 @@ void CrossDeskServiceHost::RefreshSessionHelperReportedState() {
      json.value("interactive_stage", std::string());
  session_helper_report_state_age_ms_ = json.value("state_age_ms", 0ull);
  session_helper_report_uptime_ms_ = json.value("uptime_ms", 0ull);
+  UpdateSasSecureDesktopGraceLocked(session_helper_report_interactive_stage_);
 }

 void CrossDeskServiceHost::RecordSessionEvent(DWORD event_type,
@@ -1845,21 +1936,26 @@ std::string CrossDeskServiceHost::BuildStatusResponse() {
  bool keep_secure_input_helper = false;
  bool launch_secure_input_helper = false;
  DWORD secure_input_target_session_id = 0xFFFFFFFF;
+  std::string secure_input_interactive_stage;
  {
    std::lock_guard<std::mutex> lock(state_mutex_);
    secure_input_target_session_id = active_session_id_;
+    secure_input_interactive_stage = ResolveInteractiveStageLocked();
    keep_secure_input_helper =
        ShouldKeepSecureInputHelperLocked(secure_input_target_session_id);
    launch_secure_input_helper =
        keep_secure_input_helper &&
        (!secure_input_helper_running_ ||
-         secure_input_helper_session_id_ != secure_input_target_session_id);
+         secure_input_helper_session_id_ != secure_input_target_session_id ||
+         secure_input_helper_interactive_stage_ !=
+             secure_input_interactive_stage);
  }

  if (keep_secure_input_helper) {
    if (launch_secure_input_helper) {
      StopSecureInputHelper();
-      LaunchSecureInputHelper(secure_input_target_session_id);
+      LaunchSecureInputHelper(secure_input_target_session_id,
+                              secure_input_interactive_stage);
    }
  } else {
    StopSecureInputHelper();
@@ -1883,7 +1979,11 @@ std::string CrossDeskServiceHost::BuildStatusResponse() {
      EscapeJsonString(session_helper_report_input_desktop_);
  std::string secure_input_helper_last_error =
      EscapeJsonString(secure_input_helper_last_error_);
+  std::string secure_input_helper_interactive_stage =
+      EscapeJsonString(secure_input_helper_interactive_stage_);
  bool interactive_state_ready = session_helper_status_ok_;
+  const bool sas_secure_desktop_grace_active =
+      IsSasSecureDesktopGraceActiveLocked();
  const char* interactive_state_source =
      interactive_state_ready ? "session-helper" : "service-host";
  const bool effective_session_locked = GetEffectiveSessionLockedLocked();
@@ -1897,21 +1997,24 @@ std::string CrossDeskServiceHost::BuildStatusResponse() {
  bool unlock_ui_visible = interactive_state_ready
                               ? session_helper_report_unlock_ui_visible_
                               : (logon_ui_visible_ || secure_desktop_active_);
+  unlock_ui_visible = unlock_ui_visible || sas_secure_desktop_grace_active;
  bool interactive_secure_desktop_active =
      interactive_state_ready ? session_helper_report_secure_desktop_active_
                              : secure_desktop_active_;
+  interactive_secure_desktop_active =
+      interactive_secure_desktop_active || sas_secure_desktop_grace_active;
  bool interactive_logon_ui_visible =
      interactive_state_ready ? session_helper_report_logon_ui_visible_
                              : logon_ui_visible_;
  bool interactive_session_locked = effective_session_locked ||
                                    interactive_lock_screen_visible ||
-                                    unlock_ui_visible;
+                                    unlock_ui_visible ||
+                                    sas_secure_desktop_grace_active;
  std::string interactive_input_desktop = EscapeJsonString(
      interactive_state_ready ? session_helper_report_input_desktop_
                              : input_desktop_name_);
-  std::string interactive_stage = EscapeJsonString(DetermineInteractiveStage(
-      interactive_lock_screen_visible, credential_ui_visible,
-      interactive_secure_desktop_active));
+  std::string raw_interactive_stage = ResolveInteractiveStageLocked();
+  std::string interactive_stage = EscapeJsonString(raw_interactive_stage);
  std::ostringstream stream;
  stream << "{\"ok\":true,\"service\":\"CrossDeskService\""
         << ",\"active_session_id\":" << active_session_id_
@@ -1932,6 +2035,8 @@ std::string CrossDeskServiceHost::BuildStatusResponse() {
         << (interactive_logon_ui_visible ? "true" : "false")
         << ",\"interactive_secure_desktop_active\":"
         << (interactive_secure_desktop_active ? "true" : "false")
+         << ",\"sas_secure_desktop_grace_active\":"
+         << (sas_secure_desktop_grace_active ? "true" : "false")
         << ",\"unlock_ui_visible\":" << (unlock_ui_visible ? "true" : "false")
         << ",\"credential_ui_visible\":"
         << (credential_ui_visible ? "true" : "false")
@@ -2005,6 +2110,8 @@ std::string CrossDeskServiceHost::BuildStatusResponse() {
         << secure_input_helper_last_error << "\""
         << ",\"secure_input_helper_last_error_code\":"
         << secure_input_helper_last_error_code_
+         << ",\"secure_input_helper_stage\":\""
+         << secure_input_helper_interactive_stage << "\""
         << ",\"secure_input_helper_uptime_ms\":"
         << (secure_input_helper_started_at_tick_ >= started_at_tick_
                 ? (GetTickCount64() - secure_input_helper_started_at_tick_)
@@ -2034,10 +2141,14 @@ std::string CrossDeskServiceHost::SendSecureAttentionSequence() {
  SasResult result = SendSasNow();
  {
    std::lock_guard<std::mutex> lock(state_mutex_);
-    last_sas_tick_ = GetTickCount64();
+    const ULONGLONG now = GetTickCount64();
+    last_sas_tick_ = now;
    last_sas_success_ = result.success;
    last_sas_error_code_ = result.error_code;
    last_sas_error_ = result.error;
+    sas_secure_desktop_until_tick_ =
+        result.success ? now + kSasSecureDesktopGraceMs : 0;
+    sas_secure_desktop_seen_ = false;
  }

  if (!result.success) {
@@ -2051,15 +2162,21 @@ std::string CrossDeskServiceHost::SendSecureDesktopKeyboardInput(
  RefreshSessionState();
  ReapSecureInputHelper();
  EnsureSessionHelper();
+  RefreshSessionHelperReportedState();

  DWORD target_session_id = 0xFFFFFFFF;
  bool helper_running = false;
  bool can_inject = false;
+  std::string interactive_stage;
  {
    std::lock_guard<std::mutex> lock(state_mutex_);
    target_session_id = active_session_id_;
+    interactive_stage = ResolveInteractiveStageLocked();
+    const bool helper_stage_matches =
+        secure_input_helper_interactive_stage_ == interactive_stage;
    helper_running = secure_input_helper_running_ &&
-                     secure_input_helper_session_id_ == target_session_id;
+                     secure_input_helper_session_id_ == target_session_id &&
+                     helper_stage_matches;
    can_inject = GetEffectiveSessionLockedLocked() || HasSecureInputUiLocked();
  }

@@ -2072,7 +2189,7 @@ std::string CrossDeskServiceHost::SendSecureDesktopKeyboardInput(

  if (!helper_running) {
    StopSecureInputHelper();
-    if (!LaunchSecureInputHelper(target_session_id)) {
+    if (!LaunchSecureInputHelper(target_session_id, interactive_stage)) {
      std::lock_guard<std::mutex> lock(state_mutex_);
      return BuildErrorJson(secure_input_helper_last_error_.c_str(),
                            secure_input_helper_last_error_code_);
@@ -2082,7 +2199,7 @@ std::string CrossDeskServiceHost::SendSecureDesktopKeyboardInput(
  return QueryNamedPipeMessage(
      GetCrossDeskSecureInputHelperPipeName(target_session_id),
      BuildSecureInputHelperKeyboardCommand(key_code, is_down, scan_code,
-                                            extended),
+                                            extended, interactive_stage),
      1000);
 }

@@ -2092,15 +2209,21 @@ std::string CrossDeskServiceHost::SendSecureDesktopMouseInput(int x, int y,
  RefreshSessionState();
  ReapSecureInputHelper();
  EnsureSessionHelper();
+  RefreshSessionHelperReportedState();

  DWORD target_session_id = 0xFFFFFFFF;
  bool helper_running = false;
  bool can_inject = false;
+  std::string interactive_stage;
  {
    std::lock_guard<std::mutex> lock(state_mutex_);
    target_session_id = active_session_id_;
+    interactive_stage = ResolveInteractiveStageLocked();
+    const bool helper_stage_matches =
+        secure_input_helper_interactive_stage_ == interactive_stage;
    helper_running = secure_input_helper_running_ &&
-                     secure_input_helper_session_id_ == target_session_id;
+                     secure_input_helper_session_id_ == target_session_id &&
+                     helper_stage_matches;
    can_inject = GetEffectiveSessionLockedLocked() || HasSecureInputUiLocked();
  }

@@ -2113,7 +2236,7 @@ std::string CrossDeskServiceHost::SendSecureDesktopMouseInput(int x, int y,

  if (!helper_running) {
    StopSecureInputHelper();
-    if (!LaunchSecureInputHelper(target_session_id)) {
+    if (!LaunchSecureInputHelper(target_session_id, interactive_stage)) {
      std::lock_guard<std::mutex> lock(state_mutex_);
      return BuildErrorJson(secure_input_helper_last_error_.c_str(),
                            secure_input_helper_last_error_code_);
@@ -2122,7 +2245,8 @@ std::string CrossDeskServiceHost::SendSecureDesktopMouseInput(int x, int y,

  return QueryNamedPipeMessage(
      GetCrossDeskSecureInputHelperPipeName(target_session_id),
-      BuildSecureInputHelperMouseCommand(x, y, wheel, flag), 1000);
+      BuildSecureInputHelperMouseCommand(x, y, wheel, flag, interactive_stage),
+      1000);
 }

 bool InstallCrossDeskService(const std::wstring& binary_path) {
@@ -45,7 +45,8 @@ class CrossDeskServiceHost {
  bool LaunchSessionHelper(DWORD session_id);
  void ReapSecureInputHelper();
  void StopSecureInputHelper();
-  bool LaunchSecureInputHelper(DWORD session_id);
+  bool LaunchSecureInputHelper(DWORD session_id,
+                               const std::string& interactive_stage);
  std::wstring GetSessionHelperPath() const;
  std::wstring GetSessionHelperStopEventName(DWORD session_id) const;
  std::wstring GetSecureInputHelperPath() const;
@@ -55,7 +56,10 @@ class CrossDeskServiceHost {
  bool GetEffectiveSessionLockedLocked() const;
  bool IsHelperReportingLockScreenLocked() const;
  bool HasSecureInputUiLocked() const;
+  void UpdateSasSecureDesktopGraceLocked(const std::string& observed_stage);
+  bool IsSasSecureDesktopGraceActiveLocked() const;
  bool ShouldKeepSecureInputHelperLocked(DWORD target_session_id) const;
+  std::string ResolveInteractiveStageLocked() const;
  void RefreshSessionHelperReportedState();
  void RecordSessionEvent(DWORD event_type, DWORD session_id);
  std::string HandleIpcCommand(const std::string& command);
@@ -101,6 +105,7 @@ class CrossDeskServiceHost {
  ULONGLONG session_helper_report_state_age_ms_ = 0;
  ULONGLONG session_helper_report_uptime_ms_ = 0;
  ULONGLONG secure_input_helper_started_at_tick_ = 0;
+  ULONGLONG sas_secure_desktop_until_tick_ = 0;
  bool session_locked_ = false;
  bool logon_ui_visible_ = false;
  bool prelogin_ = false;
@@ -117,6 +122,7 @@ class CrossDeskServiceHost {
  bool session_helper_report_unlock_ui_visible_ = false;
  bool secure_input_helper_running_ = false;
  bool console_mode_ = false;
+  bool sas_secure_desktop_seen_ = false;
  DWORD last_sas_error_code_ = 0;
  bool last_sas_success_ = false;
  HANDLE session_helper_process_handle_ = nullptr;
@@ -130,6 +136,7 @@ class CrossDeskServiceHost {
  std::string session_helper_report_input_desktop_;
  std::string session_helper_report_interactive_stage_;
  std::string secure_input_helper_last_error_;
+  std::string secure_input_helper_interactive_stage_;

  static CrossDeskServiceHost* instance_;
 };
@@ -23,7 +23,15 @@ inline constexpr char kCrossDeskSecureInputKeyboardCommandPrefix[] =
    "keyboard:";
 inline constexpr char kCrossDeskSecureInputMouseCommandPrefix[] = "mouse:";
 inline constexpr char kCrossDeskSecureInputCaptureCommandPrefix[] = "capture:";
+inline constexpr char kCrossDeskSecureInputCaptureStartCommandPrefix[] =
+    "capture-start:";
+inline constexpr char kCrossDeskSecureInputCaptureStopCommand[] =
+    "capture-stop";
 inline constexpr DWORD kCrossDeskSecureInputPipeBufferBytes = 16 * 1024 * 1024;
+inline constexpr wchar_t kCrossDeskSecureDesktopFrameMappingPrefix[] =
+    L"Global\\CrossDeskSecureDesktopFrame-";
+inline constexpr wchar_t kCrossDeskSecureDesktopFrameReadyEventPrefix[] =
+    L"Global\\CrossDeskSecureDesktopFrameReady-";
 inline constexpr uint32_t kCrossDeskSecureDesktopFrameMagic = 0x50444358;
 inline constexpr uint32_t kCrossDeskSecureDesktopFrameVersion = 1;

@@ -37,6 +45,19 @@ struct CrossDeskSecureDesktopFrameHeader {
  uint32_t height;
  uint32_t payload_size;
 };
+
+struct CrossDeskSecureDesktopSharedFrameHeader {
+  uint32_t magic;
+  uint32_t version;
+  volatile uint32_t writing;
+  uint32_t sequence;
+  int32_t left;
+  int32_t top;
+  uint32_t width;
+  uint32_t height;
+  uint32_t payload_size;
+  uint32_t buffer_size;
+};
 #pragma pack(pop)

 inline std::wstring GetCrossDeskSessionHelperPipeName(DWORD session_id) {
@@ -49,6 +70,18 @@ inline std::wstring GetCrossDeskSecureInputHelperPipeName(DWORD session_id) {
         std::to_wstring(session_id);
 }

+inline std::wstring GetCrossDeskSecureDesktopFrameMappingName(
+    DWORD session_id) {
+  return std::wstring(kCrossDeskSecureDesktopFrameMappingPrefix) +
+         std::to_wstring(session_id);
+}
+
+inline std::wstring GetCrossDeskSecureDesktopFrameReadyEventName(
+    DWORD session_id) {
+  return std::wstring(kCrossDeskSecureDesktopFrameReadyEventPrefix) +
+         std::to_wstring(session_id);
+}
+
 }  // namespace crossdesk

-#endif
+#endif
@@ -0,0 +1,149 @@
+#include <filesystem>
+#include <fstream>
+#include <iostream>
+#include <sstream>
+#include <string>
+
+#include "interactive_state.h"
+
+namespace {
+
+std::filesystem::path FindRepoRoot() {
+  std::filesystem::path current = std::filesystem::current_path();
+  while (!current.empty()) {
+    if (std::filesystem::exists(current / "xmake.lua") &&
+        std::filesystem::exists(
+            current / "src/service/windows/service_host.cpp")) {
+      return current;
+    }
+    current = current.parent_path();
+  }
+  return {};
+}
+
+std::string ReadFile(const std::filesystem::path& path) {
+  std::ifstream file(path, std::ios::binary);
+  if (!file) {
+    return {};
+  }
+
+  std::ostringstream stream;
+  stream << file.rdbuf();
+  return stream.str();
+}
+
+bool ExpectContains(const char* name, const std::string& value,
+                    const std::string& expected) {
+  if (value.find(expected) != std::string::npos) {
+    return true;
+  }
+
+  std::cerr << name << " missing expected text: " << expected << "\n";
+  return false;
+}
+
+bool ExpectNotContains(const char* name, const std::string& value,
+                       const std::string& unexpected) {
+  if (value.find(unexpected) == std::string::npos) {
+    return true;
+  }
+
+  std::cerr << name << " contains unexpected text: " << unexpected << "\n";
+  return false;
+}
+
+bool ExpectTrue(const char* name, bool value) {
+  if (value) {
+    return true;
+  }
+
+  std::cerr << name << " expected true\n";
+  return false;
+}
+
+}  // namespace
+
+int main() {
+  const std::filesystem::path repo_root = FindRepoRoot();
+  if (repo_root.empty()) {
+    std::cerr << "failed to locate repository root\n";
+    return 1;
+  }
+
+  const std::string control_bar =
+      ReadFile(repo_root / "src/gui/toolbars/control_bar.cpp");
+  const std::string render = ReadFile(repo_root / "src/gui/render.cpp");
+  const std::string render_h = ReadFile(repo_root / "src/gui/render.h");
+  const std::string service_host =
+      ReadFile(repo_root / "src/service/windows/service_host.cpp");
+  const std::string service_host_h =
+      ReadFile(repo_root / "src/service/windows/service_host.h");
+  const std::string session_helper =
+      ReadFile(repo_root / "src/service/windows/session_helper_main.cpp");
+
+  bool ok = true;
+  ok &= ExpectTrue("secure desktop input routing",
+                   crossdesk::IsSecureDesktopInteractionRequired(
+                       "secure-desktop"));
+  ok &= ExpectNotContains("control_bar.cpp", control_bar,
+                          "CanSendSecureAttentionSequence("
+                          "props->remote_interactive_stage_)");
+  ok &= ExpectNotContains("control_bar.cpp", control_bar,
+                          "ImGui::BeginDisabled();\n"
+                          "      }\n"
+                          "      if (ImGui::Selectable(sas_label.c_str()))");
+  ok &= ExpectNotContains("render.cpp", render, "sas_requires_lock_screen");
+  ok &= ExpectContains("render.h", render_h,
+                       "optimistic_windows_secure_desktop_until_tick_");
+  ok &= ExpectContains("render.cpp", render,
+                       "kWindowsServiceSasSecureDesktopGraceMs");
+  ok &= ExpectContains("render.cpp", render,
+                       "status->sas_secure_desktop_grace_active");
+  ok &= ExpectContains("render.cpp", render,
+                       "json.value(\"sas_secure_desktop_grace_active\", false)");
+  ok &= ExpectContains("render.cpp", render,
+                       "status.sas_secure_desktop_grace_active");
+  ok &= ExpectContains("render.cpp", render,
+                       "local_interactive_stage_ = \"secure-desktop\"");
+  ok &= ExpectContains("service_host.h", service_host_h,
+                       "sas_secure_desktop_until_tick_");
+  ok &= ExpectContains("service_host.h", service_host_h,
+                       "sas_secure_desktop_seen_");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "kSasSecureDesktopGraceMs");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "IsSasSecureDesktopGraceActiveLocked()");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "UpdateSasSecureDesktopGraceLocked("
+                       "session_helper_report_interactive_stage_)");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "sas_secure_desktop_seen_ = true");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "sas_secure_desktop_until_tick_ = 0");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "sas_secure_desktop_until_tick_ =");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "now + kSasSecureDesktopGraceMs");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "\\\"sas_secure_desktop_grace_active\\\"");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "raw_interactive_stage = ResolveInteractiveStageLocked()");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "kSessionHelperStatePollMs = 1000");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "EVENT_SYSTEM_DESKTOPSWITCH");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "SetWinEventHook(");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "MsgWaitForMultipleObjects");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "WaitForSessionHelperStateChange(stop_event, "
+                       "desktop_switch_event)");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "inaccessible_secure_input_desktop");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "desktop_info.error_code == ERROR_ACCESS_DENIED");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "secure_desktop_active = input_desktop_is_winlogon ||");
+  return ok ? 0 : 1;
+}
@@ -39,6 +39,16 @@ bool ExpectContains(const char* name, const std::string& value,
  return false;
 }

+bool ExpectNotContains(const char* name, const std::string& value,
+                       const std::string& unexpected) {
+  if (value.find(unexpected) == std::string::npos) {
+    return true;
+  }
+
+  std::cerr << name << " contains unexpected text: " << unexpected << "\n";
+  return false;
+}
+
 }  // namespace

 int main() {
@@ -50,13 +60,166 @@ int main() {

  const std::string service_host =
      ReadFile(repo_root / "src/service/windows/service_host.cpp");
+  const std::string service_host_h =
+      ReadFile(repo_root / "src/service/windows/service_host.h");
+  const std::string session_helper =
+      ReadFile(repo_root / "src/service/windows/session_helper_main.cpp");
+  const std::string targets =
+      ReadFile(repo_root / "xmake/targets.lua");
+  const std::string interactive_state =
+      ReadFile(repo_root / "src/service/windows/interactive_state.h");
+  const std::string render_callback =
+      ReadFile(repo_root / "src/gui/render_callback.cpp");
+  const std::string render = ReadFile(repo_root / "src/gui/render.cpp");
+  const std::string screen_capturer_h =
+      ReadFile(repo_root / "src/screen_capturer/windows/screen_capturer_win.h");
+  const std::string screen_capturer_cpp =
+      ReadFile(repo_root / "src/screen_capturer/windows/screen_capturer_win.cpp");

  bool ok = true;
  ok &= ExpectContains("service_host.cpp", service_host,
                       "ParseSecureDesktopMouseIpcCommand");
  ok &= ExpectContains("service_host.cpp", service_host,
                       "BuildSecureInputHelperMouseCommand");
+  ok &= ExpectContains("targets.lua", targets,
+                       "target(\"crossdesk_session_helper\")");
+  ok &= ExpectContains("targets.lua", targets,
+                       "add_files(\"scripts/windows/crossdesk.rc\")");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "EnablePerMonitorDpiAwareness");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "SetProcessDpiAwarenessContext(\n"
+                       "      DPI_AWARENESS_CONTEXT_PER_MONITOR_AWARE_V2)");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "EnablePerMonitorDpiAwareness();\n\n"
+                       "  InitializeHelperLogger();");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "const ULONGLONG deadline_tick = GetTickCount64() + timeout_ms");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "while (GetTickCount64() <= deadline_tick)");
+  ok &= ExpectNotContains("service_host.cpp", service_host,
+                          "constexpr int kPipeConnectRetryCount = 3");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "BuildSecureInputHelperKeyboardCommand(");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "const std::string& interactive_stage");
+  ok &= ExpectContains("service_host.h", service_host_h,
+                       "bool LaunchSecureInputHelper(DWORD session_id,\n"
+                       "                               const std::string& interactive_stage)");
+  ok &= ExpectContains("service_host.h", service_host_h,
+                       "std::string secure_input_helper_interactive_stage_");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "SecureInputHelperDesktopForStage");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "return L\"winsta0\\\\Winlogon\"");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "return L\"winsta0\\\\default\"");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "secure_input_helper_interactive_stage_ == interactive_stage");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "secure_input_helper_interactive_stage_ = interactive_stage");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "secure_input_helper_interactive_stage_.clear()");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "LaunchSecureInputHelper(target_session_id, interactive_stage)");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "\\\"secure_input_helper_stage\\\":\\\"");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "session_helper_report_interactive_stage_");
  ok &= ExpectContains("service_host.cpp", service_host,
                       "return SendSecureDesktopMouseInput");
+  ok &= ExpectContains("render.cpp", render,
+                       "constexpr DWORD kWindowsServiceQueryTimeoutMs = 500");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "constexpr DWORD kSecureDesktopStatusPipeTimeoutMs = 500");
+  ok &= ExpectContains("render.cpp", render,
+                       "IsTransientWindowsServiceStatusError(status.error)");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "IsTransientWindowsServiceStatusError(status.error)");
+  ok &= ExpectContains("render.cpp", render,
+                       "Local Windows service temporarily unavailable");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "Windows capturer secure desktop service temporarily unavailable");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "Windows capturer secure desktop transient frame query failed");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "if (transient_error) {\n"
+                       "          LOG_INFO(");
+  ok &= ExpectContains("render_callback.cpp", render_callback,
+                       "IsTransientSecureDesktopInputFailure");
+  ok &= ExpectContains("render_callback.cpp", render_callback,
+                       "Secure desktop keyboard injection transient failure");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "MOUSEEVENTF_MOVE | MOUSEEVENTF_ABSOLUTE");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "MOUSEEVENTF_VIRTUALDESK");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "std::vector<INPUT> inputs");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "SendInput(static_cast<UINT>(inputs.size())");
+  ok &= ExpectNotContains("session_helper_main.cpp", session_helper,
+                          "SetCursorPos(request.x, request.y)");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "NormalizeAbsoluteMouseCoordinate");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "EnsureThreadInteractiveDesktop");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "OpenInputDesktop");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "DesktopNameForInteractiveStage");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "interactive_stage == \"credential-ui\"");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "return L\"Winlogon\"");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "interactive_stage == \"lock-screen\"");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "return L\"Default\"");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "EnsureThreadInteractiveDesktopForStage");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "switch_interactive_desktop_failed");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "Json BuildInputFailureJson");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "json[\"target_desktop\"]");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "json[\"current_desktop\"]");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "json[\"stage\"]");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "ParseSecureInputKeyboardCommand(command, &key_code, &is_down, &scan_code,\n"
+                       "                                      &extended, &interactive_stage)");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "InjectKeyboardInput(key_code, is_down, scan_code, extended,\n"
+                       "                            interactive_stage)");
+  ok &= ExpectContains("session_helper_main.cpp", session_helper,
+                       "InjectMouseInput(mouse_request)");
+  ok &= ExpectNotContains("session_helper_main.cpp", session_helper,
+                          "EnsureThreadDesktop(L\"Winlogon\", &secure_desktop)");
+  ok &= ExpectContains("service_host.cpp", service_host,
+                       "winsta0\\\\default");
+  ok &= ExpectNotContains("service_host.cpp", service_host,
+                          "startup_info.lpDesktop = const_cast<LPWSTR>(L\"winsta0\\\\Winlogon\")");
+  ok &= ExpectContains("interactive_state.h", interactive_state,
+                       "interactive_stage == \"lock-screen\"");
+  ok &= ExpectContains("render_callback.cpp", render_callback,
+                       "RemoteAction remote_action{};");
+  ok &= ExpectContains("render.cpp", render,
+                       "previous_secure_desktop_interaction");
+  ok &= ExpectNotContains(
+      "render_callback.cpp", render_callback,
+      "render->local_service_available_ &&\n"
+      "        IsSecureDesktopInteractionRequired(render->local_interactive_stage_)");
+  ok &= ExpectContains("screen_capturer_win.h", screen_capturer_h,
+                       "std::string secure_shared_stage_;");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "const std::string& stage");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "secure_shared_stage_ == stage");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "secure_shared_stage_ = stage");
+  ok &= ExpectContains("screen_capturer_win.cpp", screen_capturer_cpp,
+                       "secure_shared_stage_.clear()");
  return ok ? 0 : 1;
 }
@@ -54,6 +54,12 @@ function setup_targets()
        set_default(false)
        add_files("tests/windows_mouse_controller_safety_test.cpp")

+    target("windows_sas_guard_test")
+        set_kind("binary")
+        set_default(false)
+        add_includedirs("src/service/windows")
+        add_files("tests/windows_sas_guard_test.cpp")
+
    target("display_popup_hover_state_test")
        set_kind("binary")
        set_default(false)
@@ -217,6 +223,7 @@ function setup_targets()
            add_deps("rd_log", "path_manager")
            add_links("Advapi32", "User32", "Wtsapi32", "Gdi32")
            add_files("src/service/windows/session_helper_main.cpp")
+            add_files("scripts/windows/crossdesk.rc")
            add_includedirs("src/service/windows", {public = true})
    end
Author	SHA1	Message	Date
dijunkun	06c53fdc9c	[fix] handle SAS secure desktop transitions and restore desktop capture promptly, refs #77	2026-05-26 04:38:07 +08:00
dijunkun	665f4e684c	[feat] improve Windows secure desktop capture and input handling, refs #77	2026-05-26 03:26:37 +08:00
dijunkun	52b894fe0e	[feat] improve secure desktop capture by streaming latest frames through shared memory	2026-05-26 01:28:12 +08:00