Chris Adams <chrisat_private> wrote: CA> Task Manager is really inconsistent - I renamed a copy of notepad to CA> winlogon.exe. If I start it and try to kill it through the "Applications" CA> tab of the task manager, it will be killed as normal. If I try to kill it CA> through the "Processes" tab, task manager won't let me. The WinXP task manager also behaves this way (at least in RC1). CA> I might be worth seeing exactly what triggers this behaviour in the task CA> manager - the application tab might have a different filtering criteria CA> (e.g. is it strictly ACL-based or might it be looking at something like the CA> original filename attribute in the exe header?). In any case, a malicious CA> attacker could simply make a program which doesn't open a window, which CA> would cause it not to show up in the Applications tab. It appears that the Processes tab is doing a simple filename-based search, and the Applications tab isn't doing any search at all. (After all, the 'critical system processes' like Winlogon would never show up in the Applications tab in the first place, since they don't have top-level windows associated with them.) The amusing thing is that the Task Manager clearly has enough information to discriminate between the 'real' Winlogon and the 'fake' one, and even shows that information to the user; for example, the real Winlogon is run under the SYSTEM account, while the fake one is running as the user. But it does not use this information in deciding what processes to allow to be killed; it apparently only uses the filename. At the very, very least, the Task Manager should be making this check based on the full pathname of the process, not just the filename; an application running in C:\TEMP is highly unlikely to be a critical system process...
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 13:07:58 PDT