bug: Recording stops when user launches a process as administrator (UAC Secure Desktop)

[J-MaFf]

Describe the bug

When the recorded user (dpuerner or any target user) launches an application as administrator during a session, the recording file ends prematurely at that point.

Root Cause

This is caused by the UAC Secure Desktop (Winsta0\Winlogon). When Windows shows the elevation prompt ("Do you want to allow this app to make changes..."), it temporarily switches from the user's normal desktop (Winsta0\Default) to a separate, isolated secure desktop.

gdigrab -i desktop holds an OS handle to Winsta0\Default. When the switch occurs, that handle becomes invalid and FFmpeg exits with code 0 (a clean exit, not a crash code) — stopping the recording at exactly the moment UAC fires.

Note: The exit code being 0 is important. A fix based on checking for non-zero exit codes would not catch UAC-triggered exits and would incorrectly treat them as graceful logoffs.

Impact

Any elevated action (right-click → Run as administrator, installers, UAC prompts) will silently end the recording. For Dina's iKAT error capture use case, if the error occurs after an elevation prompt, the recording will be missing the relevant footage.

Steps to Reproduce

1. Log on as the target user
2. Confirm recording is active (C:\Recordings has a growing .ts file)
3. Right-click any application → Run as administrator
4. Observe the UAC prompt
5. Check C:\Recordings — the .ts file has stopped growing; a new file is NOT started

Proposed Fix

Add a restart loop to Invoke-iKATRecording.ps1. Instead of the script exiting when FFmpeg exits, it should check if the current user session is still active and, if so, start a new FFmpeg instance with a new timestamped output file.

# Pseudocode
while ($userSessionActive) {
    $outputFile = "$TargetUser_session_$(Get-Date -Format 'yyyyMMdd_HHmmss').ts"
    Start-FFmpeg -OutputFile $outputFile
    Wait-ForFFmpegToExit
    # If we're still logged in, loop and start a new recording segment
}

This means a single session could produce multiple .ts files (e.g., one before the UAC prompt, one after), but no footage is permanently lost.

Acceptance Criteria

• Launching an elevated process does not permanently stop the recording
• A new .ts file is automatically started after FFmpeg exits mid-session
• Recording continues until the user actually logs off (not just until the next elevation prompt)
• Each segment file is named with a timestamp so segments are distinguishable

[J-MaFf]

Implementation Plan

Overview

Wrap the ffmpeg launch in a \while\ loop that checks if the user is still logged on after ffmpeg exits. If the session is still active → wait 2 seconds and start a new recording segment. Each restart produces a new part file sharing the session's original timestamp as a shared ID.

Segment naming: \dpuerner_20260327_090000_part1.ts, \dpuerner_20260327_090000_part2.ts, etc.

---

Phase 1 — Refactor \Invoke-iKATRecording.ps1\

1. Set \\ once before the loop — shared across all segment files for this logon session
2. Add \ = 1, incremented each time ffmpeg exits and the session is still active
3. Move output file construction inside the loop: \\.ts\
4. Replace the current single-launch + \ ry/finally\ with a \while\ loop:
   • Re-check disk space at the top of each iteration
   • Build the output path with the current part number
   • Launch ffmpeg via \ProcessStartInfo\ (same mechanism as current)
   • Inner wait: \while (-not .HasExited) { Start-Sleep 5 }\
   • After exit: log the exit code, \Start-Sleep -Seconds 2, increment \\
   • Loop condition: (Get-Process -Name "explorer" -ErrorAction SilentlyContinue) -ne \ — \�xplorer.exe\ only runs in interactive user sessions; gone = logged off
5. Keep \inally\ outside the while loop — handles actual logoff by cleanly quitting the current ffmpeg instance

Phase 2 — Update Tests (parallel with Phase 1)

6. Fix stale path in \Tests/iCat/Invoke-iKATRecording.Tests.ps1: \Scripts\iCat\ → \Scripts\iKAT\
7. Add a test: mock ffmpeg exiting non-zero while explorer is running → assert _part2.ts\ is created

Phase 3 — Log

8. Add an entry to \Scripts/iKAT/Invoke-FFmpegCapture/log.md\

---

Files Changed

• \Scripts/iKAT/Invoke-FFmpegCapture/Invoke-iKATRecording.ps1\
• \Tests/iCat/Invoke-iKATRecording.Tests.ps1\
• \Scripts/iKAT/Invoke-FFmpegCapture/log.md\

Key Decisions

• **Session detection via \�xplorer.exe**: reliable logoff signal; not present in Session 0 or after logoff
• 2-second restart delay: lets the UAC secure desktop fully dismiss before gdigrab reacquires the desktop
• \inally\ outside the loop: logoff still triggers a clean ffmpeg shutdown
• No changes to runner scripts or Task Scheduler tasks

[J-MaFf]

Resolution — implemented in PR #91

Root cause clarification: FFmpeg exits with code 0 (clean exit) when the UAC secure desktop dismisses its gdigrab handle — not a non-zero crash code. The initial implementation used an exit-code check to detect unexpected exits, which meant UAC-triggered exits were silently treated as graceful logoffs and the loop broke. Fixed by replacing the exit-code check with an explorer.exe presence check: if Explorer is still running, the user session is still active and FFmpeg is restarted regardless of exit code.

Segment naming: Each segment shares a single $sessionTimestamp set at logon, with an incrementing part number — e.g., dpuerner_20260327_100015_part1.ts, dpuerner_20260327_100015_part2.ts. This makes it easy to identify all segments from a single session.

Restart delay: Logarithmic backoff — first 10 restarts wait 1 second (fast recovery for back-to-back UAC prompts), restarts 11+ use Round(Ln(restartCount - 9) * 5) seconds. Max restarts raised to 60 over a 60-minute rolling window.

Verified on server (KFWS6IKAT01.kikkoman.com): UAC prompt triggered a _part2.ts segment within ~1 second. All 6 Pester tests pass.