Re: Win2K Local DoS?

[Dimitry Andric <dim () XS4ALL NL>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2000/08/03 at 05:29 Kevin Stephenson wrote:

> I ran services.exe from the run box, and it took my load up to 100%.
> Checking the task list, there were 2 services.exe and Win2K would
> not allow me to kill either process. The one I spawned was running
> at 99% of load. I then started up another 10 services.exe processes.
> Eventually, the load spread to about 33% over 3 of the processes. I
> don't see a way to kill these processes without a reboot. Have a
> nice day.

This is a (IMHO stupid) restriction which was built into the Windows
2000 Task Manager (but not into the NT4 version). It simply checks
for some reserved names, such as services.exe, lsass.exe or
winlogon.exe, and refuses to even _try_ a OpenProcess() +
TerminateProcess() call on these. If you do this yourself, it will
work fine, but not on the "real" services.exe of course, because that
runs under the LocalSystem account.

Try using SysInternals' PSList and PSKill, these free tools will
surely rid you of these runaway processes. Watch out what you kill
though, if you take down winlogon.exe or the "real" services.exe, it
will BSOD on you.

Btw, maybe this "feature" of Win2k task manager can be nicely abused:
just rename your local copy of Back Orifice to services.exe ;-)

Cheers,
- --
Dimitry Andric <dim () xs4all nl>
PGP Key: http://www.xs4all.nl/~dim/dim.asc
KeyID: 4096/1024-0x2E2096A3
Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3

-----BEGIN PGP SIGNATURE-----
Version: Encrypted with PGP Plugin for Calypso
Comment: http://www.gn.apc.org/duncan/stoa_cover.htm

iQA/AwUBOYl7CLBeowouIJajEQIxwACfSb/RTpsw69HNjgz1Ax+H6+j8zBEAnj6c
0DsrGRdFF2w/aBUg4ejHMSTU
=vXhY
-----END PGP SIGNATURE-----