Hacker News new | past | comments | ask | show | jobs | submit login

This is exactly why some versions of Windows required you to press ctrl-alt-delete to open the login form. Programs aren't allowed to block Windows from receiving ctrl-alt-delete, so a fake login program would not be able to stay on the screen after the user pressed ctrl-alt-delete. (Of course this only works if the user knows to always hit ctrl-alt-delete when they go to login. If the user sees an already-open (fake) login screen and does not hit ctrl-alt-delete, then they're vulnerable.)





The new Windows 10 login screen doesn't seem to support anything running on it, all I've seen is a duo security prompt that A. Only showed up after a login and B. Doesn't work on Windows 10 in a non-rdp session on a Microsoft account[0]. Sadly this also means you can't run something like Wallpaper Engine on the lock screen[1].

0: https://duo.com/docs/rdp-faq#can-i-use-duo-with-a-microsoft-...?

1: https://steamcommunity.com/app/431960/discussions/0/15001264...


The specific threat that ctrl-alt-delete's supposed to mitigate is where a user's already logged in, but a program's running that mimics the login prompt. Since applications can't handle ctrl-alt-del in Windows, if you pressed it at a fake login prompt, you'd get the Windows Security dialog/screen rather than a login prompt and it would be obvious that something's wrong.

Its utility's limited these days since consumer configurations of Windows have users trained not to expect to have to press ctrl-alt-del to log in. I'm not sure that it's even enabled by default on domain-joined machines any more as of Windows 10 (still available via Group Policy, though).


I've noticed sometimes the lock screen won't show the login dialog via the regular "press any keyboard key" action or via mouse dragging it up, I had to press ctrl-alt-delete. Maybe there are some heuristics that decide this that I don't know about.

I think ctrl-alt-delete generates a hardware interrupt.

It is not a hardware interrupt in the sense that there's nothing special about this key combination to generate a specific interrupt. The only related interrupts are the keyboard interrupts that happen for every keyboard activity, which the BIOS interprets and takes actions like turning on a key LED and storing the actions in a memory buffer (this is all in "real mode" on x86 processors) before that goes further up to the application. Capturing the keyboard interrupt could allow one to intercept specific keystrokes (like Ctrl+Alt+Del) before the OS gets it, but that's not possible in the OSes the most people use today (which all run in "protected mode").

In real mode, the BIOS intercepts it. But it's still not a hardware interrupt; it just never gets to the OS.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: