Bugtraq mailing list archives
RE: W2k: Unkillable Applications
From: "Snow, Corey" <CSNOW () ddpwa com>
Date: Mon, 16 Jul 2001 14:06:20 -0700
I can confirm this; I created a simple Win32 app named "Winlogon.exe" and Task Manager refused to terminate it. However, I discovered something interesting: Microsoft's "kill" utility will terminate the faux winlogon.exe, but will not terminate the real one. See below- pid 1692 is the pid for my fake winlogon.exe. When the 'kill' command was executed, the process died right there with no fuss. However, 188 is the pid for the real winlogon.exe. Despite what it says about the 'NetDDE Agent' being killed, the winlogon.exe process continues to run just fine, and one can actually issue a kill command repeatedly with the same results. So far, it does not seem to have affected the operation of my system in any way whatsoever. Corey M. Snow- csnow () ddpwa com Senior Web Developer, Washington Dental Service (206) 528-7361, Mobile (360) 481-2563 FAX: (206) 985-4939 Web: http://www.deltadentalwa.com ---- C:\TEMP>kill 1692 process WinLogon.exe (1692) - 'WinLogonTest' killed C:\TEMP>kill 188 process WINLOGON.EXE (188) - 'NetDDE Agent' killed C:\TEMP> ----
-----Original Message----- From: Thomas Zehetbauer [mailto:thomasz () hostmaster org] Sent: Monday, July 16, 2001 9:59 AM To: Bugtraq Mailing List Subject: W2k: Unkillable Applications Task Manager in Windows 2000 refuses to kill any process named - winlogon.exe - csrss.exe - smss.exe - services.exe showing a message box stating that this is a critical system process and cannot be ended by task manager. Although these processes were and are still protected by their ACL (Access Control List) Microsoft is now using case-insensitive string comparison to determine whether a process belongs to the operating system. You can now call you favorite trojan winlogon.exe and task manager will not only refuse to terminate it but will also incorrectly state that it is a critical system process. Regards Tom -- T h o m a s Z e h e t b a u e r ( TZ251 ) PGP encrypted mail preferred - KeyID 96FFCB89 mail pgp-key-request () hostmaster org
######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. #########################################################
Current thread:
- W2k: Unkillable Applications Thomas Zehetbauer (Jul 16)
- Re: W2k: Unkillable Applications Chad Loder (Jul 16)
- RE: W2k: Unkillable Applications Kaido Karner (Jul 17)
- <Possible follow-ups>
- RE: W2k: Unkillable Applications Snow, Corey (Jul 16)
- RE: W2k: Unkillable Applications Kaido Karner (Jul 17)
- Re: W2k: Unkillable Applications Justin Nelson (Jul 17)
- Re: W2k: Unkillable Applications Chris Adams (Jul 17)
- Re: W2k: Unkillable Applications Alun Jones (Jul 17)
- Re: W2k: Unkillable Applications Chris Adams (Jul 17)
- Re[2]: W2k: Unkillable Applications Phaedrus (Jul 17)
- Re: Re[2]: W2k: Unkillable Applications Bronek Kozicki (Jul 18)
- RE: W2k: Unkillable Applications Kaido Karner (Jul 17)
- Re[2]: W2k: Unkillable Applications Dimitry Andric (Jul 17)
- RE: W2k: Unkillable Applications Andy Cristina (Jul 17)