on 2001-07-17 09:20, Justin Nelson at [EMAIL PROTECTED] wrote:
>> cannot confirm that. I renamed one of my applications to
>> Winlogon.exe and succeeded to kill it without any problem
>> with taskmanager.
>
> Under Windows 2000 Pro, I made a copy of "notepad.exe" renamed to
> "winlogon.exe", and could not kill it via the Task Manager. Both the 'kill'
> command and the VC++ debugger were able to kill it.
Task Manager is really inconsistent - I renamed a copy of notepad to
winlogon.exe. If I start it and try to kill it through the "Applications"
tab of the task manager, it will be killed as normal. If I try to kill it
through the "Processes" tab, task manager won't let me.
I might be worth seeing exactly what triggers this behaviour in the task
manager - the application tab might have a different filtering criteria
(e.g. is it strictly ACL-based or might it be looking at something like the
original filename attribute in the exe header?). In any case, a malicious
attacker could simply make a program which doesn't open a window, which
would cause it not to show up in the Applications tab.
