n response to this and a couple of questions and points raised off-list I tried my test with a few more variables. First, using the "-f" option to kill.exe (which is "force process kill") does cause the untimely death of the real winlogon.exe process, to the obvious detriment of the system it used to be running on. :) My Win2K Server (SP1) spontaneously rebooted about a minute later with no warnings. Second, rebuilding the original test app, which is simply a VC++ 6.0 template project- the "Hello World" Win32 app- using the internal name 'NetDDE Agent' did not change anything. Using kill without -f produced the same results; namely that the "fake" process would be killed and the "real" process would not be, although the kill utility would claim it had. Third, the results appear to be the same regardless of whether one is using a debug or release build of the application (probably not even relevant, but I figured I'd include it). I haven't tried this test on a system where I don't have Debug privileges (SeDebugPrivilege) on the machine in question. I know that "kill" will not work using an account without debug privileges. I imagine the same restriction is the case for utilities like pskill and other third-party utilities. The original poster's point about trojans being named using these quasi-protected names is a good one, I think. Not only is it more difficult to kill these processes, even for someone knowldegeable, it is probably downright impossible for someone without debug privilege, or even with debug privilege without a debugger or appropriate utility (kill.exe is not part of Win2K off the shelf, but rather a component of the Win2K resource kit). Also, most users don't have a debugger installed, even if they have debug privileges. With all that said, I'm also not sure if there is a good fix to this issue. Certainly, Task Manager should be fixed to not use such comparisons on the process name, because any ACLs on the process are still in effect, as pointed out by the original poster. Would it be a good idea, I wonder, to update WinNT/2K to not allow processes to start with these "special" names other than its own? That comes with its own set of problems, I imagine. Best regards, Corey M. Snow- csnowat_private Senior Web Developer, Washington Dental Service (206) 528-7361, Mobile (360) 481-2563 FAX: (206) 985-4939 Web: http://www.deltadentalwa.com "Wind the frog!"- Woody -----Original Message----- From: Wannemacher, Eric [mailto:EricWat_private] Sent: Tuesday, July 17, 2001 8:40 AM To: 'BUGTRAQat_private' Subject: RE: W2k: Unkillable Applications SysInternals' (http://www.sysinternals.com) pskill utility will happily kill winlogon.exe and services.exe. Killing winlogon will blue screen the machine so be careful. ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. #########################################################
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 12:34:55 PDT