Windows XP 'logon screen' runs as system account

[Menso Heus <menso () r4k net>]

Hi,

Recently I discovered that the process that shows the windows xp logon
screen (logonui.exe in your \winnt\system32\ folder) runs as the 
'system' user. This process gets started whenever the user logon 
screen gets shown, this is either after booting up Windows XP or
when switching users. 

In my experience so far the system account in Windows NT/2000 has 
(almost?) the same rights as the Administrator account. 
I decided it might be nice to kick it a bit in order to see if I 
could make it do things it isn't supposed to do.

I replaced the logonui.exe file with the task manager (which showed 
the user 'system' owns the process).

> From the taskmgr.exe process I tried spawning a new process, cmd.exe. 
I received the error "Not enough quota available to process this command.' 

I received the same error when I replaced the logonui.exe file directly
with cmd.exe. The command prompt would actually show, but any commands 
not built into cmd.exe itself would not run. 

After this I replaced the file with NT4's usrmgr.exe to see if I had 
rights enough to adjust user settings. It turns out that this is also
restricted. 

I also wrote some programs myself to try to push a user from the normal
user group into the admin group through the ADSI interface, but this 
didn't work out either.

Please note that the logonui.exe file can only be replaced by a user
that already has administrative rights. 

The thing is that a lot of Windows XP users are actually replacing this
file with copies they download of the net. From sites such as 
www.themexp.org it is possible to download 'customized logon screens'
which show your favorite actor or sports car or whatever.

I would like to warn for the fact that, since Microsoft chose to use a 
binary format for a file that only contains some info on where to place 
what pictures during logon and the pictures themselves, it is trivial to 
write a trojan that fakes a logon screen and e-mails the entered 
usernames & passwords. I have already written & tested one succesfully
on my home network. 

It is unclear to me why Microsoft chose to use a binary format for a 
file that, as far as I can see, contains nothing more than layout info.
History has already proved that users will gladly trade in security if it 
means they can see some chick or something funny during the logon process.

Still, a trojan ofcourse isn't a security bug. Since I do not know how 
they restricted the system account I would like to ask you for advice
on this. I have a feeling that it hasn't been done nicely, though I 
can't really tell why, probably because I don't understand *how* it
has been done :)

Any help with this would be greatly appreciated,

Menso

-- 
---------------------------------------------------------------------
Anyway, the :// part is an 'emoticon' representing a man with a strip 
of sticky tape across his mouth.   -R. Douglas, alt.sysadmin.recovery
---------------------------------------------------------------------