RE: W2k: Unkillable Applications

From: Snow, Corey (CSNOWat_private)
Date: Mon Jul 16 2001 - 14:06:20 PDT

Next message: Michael C. Bazarewsky: "RE: Win2K/NTFS messes file creation time/date"

Previous message: Tolga Tarhan: "RE: Card Service International / LinkPoint API Security Concerns"
Maybe in reply to: Thomas Zehetbauer: "W2k: Unkillable Applications"
Next in thread: Kaido Karner: "RE: W2k: Unkillable Applications"
Next in thread: Chad Loder: "Re: W2k: Unkillable Applications"
Reply: Kaido Karner: "RE: W2k: Unkillable Applications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can confirm this; I created a simple Win32 app named "Winlogon.exe" and
Task Manager refused to terminate it. However, I discovered something
interesting: Microsoft's "kill" utility will terminate the faux
winlogon.exe, but will not terminate the real one.
 
See below- pid 1692 is the pid for my fake winlogon.exe. When the 'kill'
command was executed, the process died right there with no fuss. However,
188 is the pid for the real winlogon.exe. Despite what it says about the
'NetDDE Agent' being killed, the winlogon.exe process continues to run just
fine, and one can actually issue a kill command repeatedly with the same
results. So far, it does not seem to have affected the operation of my
system in any way whatsoever.

Corey M. Snow- csnowat_private
Senior Web Developer, Washington Dental Service
(206) 528-7361, Mobile (360) 481-2563
FAX: (206) 985-4939
Web: http://www.deltadentalwa.com

----

C:\TEMP>kill 1692
process WinLogon.exe (1692) - 'WinLogonTest' killed

C:\TEMP>kill 188
process WINLOGON.EXE (188) - 'NetDDE Agent' killed

C:\TEMP>
----

> -----Original Message-----
> From: Thomas Zehetbauer [mailto:thomaszat_private]
> Sent: Monday, July 16, 2001 9:59 AM
> To: Bugtraq Mailing List
> Subject: W2k: Unkillable Applications
> 
> 
> Task Manager in Windows 2000 refuses to kill any process named
> - winlogon.exe
> - csrss.exe
> - smss.exe
> - services.exe
> showing a message box stating that this is a critical system 
> process and
> cannot be ended by task manager.
> 
> Although these processes were and are still protected by 
> their ACL (Access
> Control List) Microsoft is now using case-insensitive string 
> comparison to
> determine whether a process belongs to the operating system.
> 
> You can now call you favorite trojan winlogon.exe and task 
> manager will not
> only refuse to terminate it but will also incorrectly state 
> that it is a
> critical system process.
> 
> Regards
> Tom
> 
> -- 
>   T h o m a s   Z e h e t b a u e r   ( TZ251 )
>   PGP encrypted mail preferred - KeyID 96FFCB89
>        mail pgp-key-requestat_private
> 

#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################

Next message: Michael C. Bazarewsky: "RE: Win2K/NTFS messes file creation time/date"
Previous message: Tolga Tarhan: "RE: Card Service International / LinkPoint API Security Concerns"
Maybe in reply to: Thomas Zehetbauer: "W2k: Unkillable Applications"
Next in thread: Kaido Karner: "RE: W2k: Unkillable Applications"
Next in thread: Chad Loder: "Re: W2k: Unkillable Applications"
Reply: Kaido Karner: "RE: W2k: Unkillable Applications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 15:08:49 PDT