Vulnerability Development mailing list archives
Re: Win2K Local DoS?
From: Dimitry Andric <dim () XS4ALL NL>
Date: Thu, 3 Aug 2000 17:00:40 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2000/08/03 at 05:29 Kevin Stephenson wrote:
I ran services.exe from the run box, and it took my load up to 100%. Checking the task list, there were 2 services.exe and Win2K would not allow me to kill either process. The one I spawned was running at 99% of load. I then started up another 10 services.exe processes. Eventually, the load spread to about 33% over 3 of the processes. I don't see a way to kill these processes without a reboot. Have a nice day.
This is a (IMHO stupid) restriction which was built into the Windows 2000 Task Manager (but not into the NT4 version). It simply checks for some reserved names, such as services.exe, lsass.exe or winlogon.exe, and refuses to even _try_ a OpenProcess() + TerminateProcess() call on these. If you do this yourself, it will work fine, but not on the "real" services.exe of course, because that runs under the LocalSystem account. Try using SysInternals' PSList and PSKill, these free tools will surely rid you of these runaway processes. Watch out what you kill though, if you take down winlogon.exe or the "real" services.exe, it will BSOD on you. Btw, maybe this "feature" of Win2k task manager can be nicely abused: just rename your local copy of Back Orifice to services.exe ;-) Cheers, - -- Dimitry Andric <dim () xs4all nl> PGP Key: http://www.xs4all.nl/~dim/dim.asc KeyID: 4096/1024-0x2E2096A3 Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3 -----BEGIN PGP SIGNATURE----- Version: Encrypted with PGP Plugin for Calypso Comment: http://www.gn.apc.org/duncan/stoa_cover.htm iQA/AwUBOYl7CLBeowouIJajEQIxwACfSb/RTpsw69HNjgz1Ax+H6+j8zBEAnj6c 0DsrGRdFF2w/aBUg4ejHMSTU =vXhY -----END PGP SIGNATURE-----
Current thread:
- Win2K Local DoS? Kevin Stephenson (Aug 03)
- Re: Win2K Local DoS? Dimitry Andric (Aug 03)
- Re: Win2K Local DoS? Alexander Sanda (Aug 03)
- Re: Win2K Local DoS? LordRaYden (Aug 05)
- <Possible follow-ups>
- Re: Win2K Local DoS? Oliver Friedrichs (Aug 03)
- Re: Win2K Local DoS? Maxime Rousseau (Aug 05)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? Kevin Stephenson (Aug 06)
- Re: Win2K Local DoS? Mikael Olsson (Aug 08)
- Re: Win2K Local DoS? Nicolas Rachinsky (Aug 09)
- Re: Win2K Local DoS? Dimitry Andric (Aug 05)
- Re: Win2K Local DoS? pantera (Aug 05)
- Re: Win2K Local DoS? bfiero (Aug 09)