I can confirm this; I created a simple Win32 app named "Winlogon.exe" and Task Manager refused to terminate it. However, I discovered something interesting: Microsoft's "kill" utility will terminate the faux winlogon.exe, but will not terminate the real one. See below- pid 1692 is the pid for my fake winlogon.exe. When the 'kill' command was executed, the process died right there with no fuss. However, 188 is the pid for the real winlogon.exe. Despite what it says about the 'NetDDE Agent' being killed, the winlogon.exe process continues to run just fine, and one can actually issue a kill command repeatedly with the same results. So far, it does not seem to have affected the operation of my system in any way whatsoever. Corey M. Snow- csnowat_private Senior Web Developer, Washington Dental Service (206) 528-7361, Mobile (360) 481-2563 FAX: (206) 985-4939 Web: http://www.deltadentalwa.com ---- C:\TEMP>kill 1692 process WinLogon.exe (1692) - 'WinLogonTest' killed C:\TEMP>kill 188 process WINLOGON.EXE (188) - 'NetDDE Agent' killed C:\TEMP> ---- > -----Original Message----- > From: Thomas Zehetbauer [mailto:thomaszat_private] > Sent: Monday, July 16, 2001 9:59 AM > To: Bugtraq Mailing List > Subject: W2k: Unkillable Applications > > > Task Manager in Windows 2000 refuses to kill any process named > - winlogon.exe > - csrss.exe > - smss.exe > - services.exe > showing a message box stating that this is a critical system > process and > cannot be ended by task manager. > > Although these processes were and are still protected by > their ACL (Access > Control List) Microsoft is now using case-insensitive string > comparison to > determine whether a process belongs to the operating system. > > You can now call you favorite trojan winlogon.exe and task > manager will not > only refuse to terminate it but will also incorrectly state > that it is a > critical system process. > > Regards > Tom > > -- > T h o m a s Z e h e t b a u e r ( TZ251 ) > PGP encrypted mail preferred - KeyID 96FFCB89 > mail pgp-key-requestat_private > ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. #########################################################
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 15:08:49 PDT