Named Pipes in .NET 6 with Tray Icon and Service

Good article, but I wish the author would&#x27;ve addressed securing these named pipes.<p>Consider that if a user-mode application can send messages to a privileged process (like a Windows service).<p>What prevents <i>any</i> user-mode application from doing that? And if your Windows service is running as &quot;NT_AUTHORITY&#x2F;SYSTEM&quot; and even executes privileged commands, well you might find you&#x27;ve got a simple privilege escalation vuln.<p>Remember, secure your named pipes...especially when the named pipe server runs as SYSTEM.<p>- <a href="https:&#x2F;&#x2F;stackoverflow.com&#x2F;a&#x2F;59983266" rel="nofollow">https:&#x2F;&#x2F;stackoverflow.com&#x2F;a&#x2F;59983266</a><p>- <a href="https:&#x2F;&#x2F;versprite.com&#x2F;blog&#x2F;security-research&#x2F;vulnerable-named-pipe-application&#x2F;" rel="nofollow">https:&#x2F;&#x2F;versprite.com&#x2F;blog&#x2F;security-research&#x2F;vulnerable-name...</a>

I think this is the first NamedPipes tutorial in C# that I&#x27;ve ever seen that doesn&#x27;t do things completely wrong by using a StreamWriter or StreamReader. Of course, that&#x27;s because it uses another library that wraps all the tricky bits of NamedPipes that everybody always does wrong -&gt; <a href="https:&#x2F;&#x2F;github.com&#x2F;HavenDV&#x2F;H.Pipes" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;HavenDV&#x2F;H.Pipes</a><p>NamedPipes are sweet for doing same-machine IPC on Windows, that is for sure, but the built-in API is full of footguns.

Just to clarify something at the start of the article... If you are using full Visual Studio to develop with .NET 6, you will need 2022. If not, (eg. VS Code), will work with the command line sdk.

I didn&#x27;t use named pipes since 2010 but last time I checked named pipes are great for Inter Process Communication on the same machine. Great in terms of performance and access to a standard interface. WCF can be configured to use named pipes on local machines. Last time I checked named pipes were also available on the network and visible by other machines with some overhead.<p>Security can be achieved not at channel level but at message level: If cannot decrypt the message then it&#x27;s not for you. At the expense of overhead you open the door for flexibility.<p>Ultimately it&#x27;s a tool. What it matters is how you use it. Definitely better than using shared memory for IPC. Files are by default not secured either. Anyone can write into it.

Amazing read and insanely helpful. Thanks a ton both to the author and to who posted it, if different people.

This uses the package H.Pipes which seems to use System.Runtime.Serialization.BinaryFormatter by default; isn&#x27;t this insecure?

An alternative that comes with built-in dependency injection is using the .NET hosted process model. Much easier to test too.

Honest question - how relevant the skill like that nowadays with all the stuff going Web and Electron?<p>Are there any apps (except for creating stuff) that are being developed in a way that “server” part is running locally? It seems to me that everything goes web now and if you have a desktop it’s “just” a client for something remote?

Named pipes have been in Windows for many years <a href="https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;windows&#x2F;win32&#x2F;api&#x2F;winbase&#x2F;nf-winbase-createnamedpipea" rel="nofollow">https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;windows&#x2F;win32&#x2F;api&#x2F;winbase&#x2F;n...</a>

I don&#x27;t know why I expected something more technical for the tray icon part. I mean using a third party library is not really anything .NET 6 specific.

Wow the dotnet people are still doing this thing when they have screenshots of what to click in VS? So easy to reproduce!