[21594] in bugtraq
Re: Re[2]: W2k: Unkillable Applications
daemon@ATHENA.MIT.EDU (Bronek Kozicki)
Wed Jul 18 10:43:35 2001
Message-ID: <002d01c10f79$9b7db1d0$c503a8c0@waw.getin.pl>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: "Phaedrus" <phaedrus-securityfocus@lycanon.org>,
<bugtraq@securityfocus.com>
Date: Wed, 18 Jul 2001 13:05:51 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
> It appears that the Processes tab is doing a simple filename-based
> search, and the Applications tab isn't doing any search at all.
> (After all, the 'critical system processes' like Winlogon would never
> show up in the Applications tab in the first place, since they don't
> have top-level windows associated with them.)
Little mistake here. Winlogon _has_ top-level window, its just invisible.
You may make it easilly visible with tools like showin.exe (you will find
more such windows, most are in Explorer process). See Microsoft 01-007
security bulletin, how this can be exploited.
> At the very, very least, the Task Manager should be making this check
based
> on the full pathname of the process, not just the filename; an
> application running in C:\TEMP is highly unlikely to be a critical
> system process...
Agree.
regards
B.
