on 2001-07-17 09:20, Justin Nelson at securityat_private wrote: >> cannot confirm that. I renamed one of my applications to >> Winlogon.exe and succeeded to kill it without any problem >> with taskmanager. > > Under Windows 2000 Pro, I made a copy of "notepad.exe" renamed to > "winlogon.exe", and could not kill it via the Task Manager. Both the 'kill' > command and the VC++ debugger were able to kill it. Task Manager is really inconsistent - I renamed a copy of notepad to winlogon.exe. If I start it and try to kill it through the "Applications" tab of the task manager, it will be killed as normal. If I try to kill it through the "Processes" tab, task manager won't let me. I might be worth seeing exactly what triggers this behaviour in the task manager - the application tab might have a different filtering criteria (e.g. is it strictly ACL-based or might it be looking at something like the original filename attribute in the exe header?). In any case, a malicious attacker could simply make a program which doesn't open a window, which would cause it not to show up in the Applications tab.
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 11:38:24 PDT