Re[2]: W2k: Unkillable Applications

[Phaedrus <phaedrus-securityfocus () lycanon org>]

Chris Adams <chris () improbable org> wrote:

CA> Task Manager is really inconsistent - I renamed a copy of notepad to
CA> winlogon.exe. If I start it and try to kill it through the "Applications"
CA> tab of the task manager, it will be killed as normal. If I try to kill it
CA> through the "Processes" tab, task manager won't let me.

The WinXP task manager also behaves this way (at least in RC1).

CA> I might be worth seeing exactly what triggers this behaviour in the task
CA> manager - the application tab might have a different filtering criteria
CA> (e.g. is it strictly ACL-based or might it be looking at something like the
CA> original filename attribute in the exe header?). In any case, a malicious
CA> attacker could simply make a program which doesn't open a window, which
CA> would cause it not to show up in the Applications tab.

It appears that the Processes tab is doing a simple filename-based
search, and the Applications tab isn't doing any search at all.
(After all, the 'critical system processes' like Winlogon would never
show up in the Applications tab in the first place, since they don't
have top-level windows associated with them.)

The amusing thing is that the Task Manager clearly has enough
information to discriminate between the 'real' Winlogon and the 'fake'
one, and even shows that information to the user; for example, the
real Winlogon is run under the SYSTEM account, while the fake one is
running as the user.  But it does not use this information in deciding
what processes to allow to be killed; it apparently only uses the
filename.

At the very, very least, the Task Manager should be making this check based
on the full pathname of the process, not just the filename; an
application running in C:\TEMP is highly unlikely to be a critical
system process...