SessionGuard is a Windows 11 utility that helps reduce surprise Windows Update restart disruption without disabling Windows Update.
It is designed for people who keep live work open for long stretches of time: terminals, editors, browsers, local dev servers, research tabs, and similar restart-sensitive tools.
- monitors bounded restart and reboot-required signals that are available from user mode
- detects configured protected apps and derives workspace-risk hints from them
- surfaces restart pressure, policy state, and recommended next steps in a tray-first desktop app
- supports a background service for continuous monitoring and service-owned write actions
- applies a small set of reversible native mitigation settings when run with the required permissions
The preferred end-user download is:
sessionguard-win11-setup-<version>-win-x64.zip
Extract it, open an elevated PowerShell session in the extracted folder, and run:
powershell -ExecutionPolicy Bypass -File .\Verify-SessionGuard.ps1
powershell -ExecutionPolicy Bypass -File .\Install-SessionGuard.ps1SessionGuard releases now also publish sessionguard-win11-sha256-<version>.txt. For a direct-download install, verify the setup zip hash before extraction:
Get-FileHash .\sessionguard-win11-setup-<version>-win-x64.zip -Algorithm SHA256That install path:
- installs the Windows Service
- installs the shared runtime under
C:\Program Files\SessionGuard - registers the tray app to start at sign-in for the current user
- scopes the installed service control plane plus
logs/andstate/access to that user, administrators, andSYSTEM - stops a running installed tray app before replacing files during reinstall or upgrade
- attempts to launch the app minimized to the tray unless you opt out with
-DoNotLaunchApp - can verify the extracted bundle contents before install with
Verify-SessionGuard.ps1
Install it from the same signed-in Windows account that should see the tray icon at sign-in. The startup registration is written to that user's HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.
Verify-SessionGuard.ps1 checks the extracted files against the included bundle inventory and reports the current Authenticode signature status of SessionGuard.App.exe, SessionGuard.Service.exe, and the root installer scripts. It helps catch incomplete extraction and local file changes after extraction, but it does not prove publisher authenticity on its own and does not replace verifying the published zip hash.
If Windows blocks the immediate app launch, the install still succeeds. Official SessionGuard tag releases are intended to be Authenticode-signed, but local or custom builds may still be unsigned and can trigger SmartScreen or other Windows trust prompts. You can launch C:\Program Files\SessionGuard\SessionGuard.App.exe manually from your normal desktop session, use -DoNotLaunchApp during install, or wait for the next sign-in.
For full install, uninstall, and source-run instructions, use Getting Started.
SessionGuard has two processes:
SessionGuard.Service.exe: background engine- auto-starts with Windows when installed
- runs monitoring continuously
- owns service-backed write actions
SessionGuard.App.exe: tray icon and dashboard- starts at user sign-in when installed
- owns the tray icon and visible UI
- uses the tray menu for the day-to-day summary, next step, and common action
- connects to the service when available
- falls back to local read-only monitoring when the service is unavailable
Important behavior:
- the tray icon belongs to the app, not the service
- service-backed guard-mode, mitigation, and approval actions require both service connectivity and an elevated app session
- in installed mode, the service pipe plus
logs/andstate/are scoped to the installing user, administrators, andSYSTEM - when the service is connected but the current app session cannot write, use
Open elevated controlsfrom the dashboard or tray-backed workflow instead of guessing which binary to relaunch - in normal installed use, the tray menu is the daily path and the dashboard is opened on demand
For the fuller app-versus-service explanation, see Runtime Model.
You only need the .NET 9 SDK if you are building from source.
Use these docs:
- Getting Started for source build, local service-host, and install paths
- Development and Release Guide for validation, packaging, and tag-driven release steps
SessionGuard does not:
- disable Windows Update
- guarantee prevention of every Windows restart path
- inspect unsaved buffers, tab importance, or app-specific internal state
- restore unsaved workspaces after a restart
See Limitations for the full platform and permissions boundaries.
- Getting Started
- Runtime Model
- Development and Release Guide
- Manual Validation Checklist
- Architecture
- Product Brief
- Limitations
- Roadmap
- Future service and shell direction
- Latest shipped release notes
- Current unreleased packaging and trust notes
SessionGuard is best used as a restart-awareness and mitigation helper for a machine that should stay up to date while reducing the chance that Windows Update catches an active workspace at the wrong time.
The full product is best suited to direct-download distribution. A Microsoft Store edition would likely need a reduced packaging and privilege model.