[21586] in bugtraq
Re: W2k: Unkillable Applications
daemon@ATHENA.MIT.EDU (Chris Adams)
Tue Jul 17 16:17:15 2001
Date: Tue, 17 Jul 2001 12:21:02 -0700
From: Chris Adams <chris@improbable.org>
To: Alun Jones <alun@texis.com>
Cc: <bugtraq@securityfocus.com>
Message-ID: <B779DE2D.3E9B%chris@improbable.org>
In-Reply-To: <4.3.2.7.2.20010717140718.025bef78@mail.io.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
on 2001-07-17 12:11, Alun Jones at alun@texis.com wrote:
> At 11:58 AM 7/17/2001, Chris Adams wrote:
>> on 2001-07-17 09:20, Justin Nelson at security@jm4n.com wrote:
>>> Under Windows 2000 Pro, I made a copy of "notepad.exe" renamed to
>>> "winlogon.exe", and could not kill it via the Task Manager. Both the 'kill'
>>> command and the VC++ debugger were able to kill it.
>>
>> Task Manager is really inconsistent - I renamed a copy of notepad to
>> winlogon.exe. If I start it and try to kill it through the "Applications"
>> tab of the task manager, it will be killed as normal. If I try to kill it
>> through the "Processes" tab, task manager won't let me.
>
> The answer here is that the "End Task" button on the "Applications" tab
> tries to send a WM_QUIT message to the foreground window. The "End
> Process" (note the different name) button on the "Processes" tab calls
> TerminateProcess() on the process.
>
> Task Manager _is_ being consistent - it's just that you don't seem to
> understand the difference between "Tasks" / "Applications" (really just
> windows with no parent) and "Processes" (which are true processes).
Whoa - can the flames, please. The reasons why this happen make sense but
the user interface is inconsistent. That's the problem here - a non system
task will be reported as a system task, even though it's not and can easily
be terminated. The end process button will have different results depending
on whether it checks its hardcoded process list before attempting to kill
something.
Chris
