Hi, Recently I discovered that the process that shows the windows xp logon screen (logonui.exe in your \winnt\system32\ folder) runs as the 'system' user. This process gets started whenever the user logon screen gets shown, this is either after booting up Windows XP or when switching users. In my experience so far the system account in Windows NT/2000 has (almost?) the same rights as the Administrator account. I decided it might be nice to kick it a bit in order to see if I could make it do things it isn't supposed to do. I replaced the logonui.exe file with the task manager (which showed the user 'system' owns the process). From the taskmgr.exe process I tried spawning a new process, cmd.exe. I received the error "Not enough quota available to process this command.' I received the same error when I replaced the logonui.exe file directly with cmd.exe. The command prompt would actually show, but any commands not built into cmd.exe itself would not run. After this I replaced the file with NT4's usrmgr.exe to see if I had rights enough to adjust user settings. It turns out that this is also restricted. I also wrote some programs myself to try to push a user from the normal user group into the admin group through the ADSI interface, but this didn't work out either. Please note that the logonui.exe file can only be replaced by a user that already has administrative rights. The thing is that a lot of Windows XP users are actually replacing this file with copies they download of the net. From sites such as www.themexp.org it is possible to download 'customized logon screens' which show your favorite actor or sports car or whatever. I would like to warn for the fact that, since Microsoft chose to use a binary format for a file that only contains some info on where to place what pictures during logon and the pictures themselves, it is trivial to write a trojan that fakes a logon screen and e-mails the entered usernames & passwords. I have already written & tested one succesfully on my home network. It is unclear to me why Microsoft chose to use a binary format for a file that, as far as I can see, contains nothing more than layout info. History has already proved that users will gladly trade in security if it means they can see some chick or something funny during the logon process. Still, a trojan ofcourse isn't a security bug. Since I do not know how they restricted the system account I would like to ask you for advice on this. I have a feeling that it hasn't been done nicely, though I can't really tell why, probably because I don't understand *how* it has been done :) Any help with this would be greatly appreciated, Menso -- --------------------------------------------------------------------- Anyway, the :// part is an 'emoticon' representing a man with a strip of sticky tape across his mouth. -R. Douglas, alt.sysadmin.recovery ---------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Dec 21 2001 - 20:12:53 PST