Security Incidents mailing list archives

Re: [unisog] Re: Port 109 Mystery

From: David Moisan <dmoisan () davidmoisan org>
Date: Thu, 13 Mar 2003 23:21:15 -0500

At 09:01 AM 3/13/2003 -0500, Buck Buchanan wrote:

Since fport normally does not display the "\??\" prefix, I am wondering if
this might be a clue to how winlogon.exe was run.

Winlogon is a native process (as opposed to a Win32 process). It runsearly in the boot process. As someone else noted, the path you saw is normal.

It *does* have a DLL, MSGINA.DLL; this gets the logon info from the userfor Winlogon. It's designed so that third-parties can use, say, abiometric MSGINA in place of the usual prompt.


Next question is if it's possible for MSGINA to be co-opted?

"Inside Windows 2000" is the best investment any Windows admin can make,next to the RK.


Take care,

Dave

David Moisan, N1KGH   ARES/SKYWARN             dmoisan () davidmoisan org
Invisible Disability:  http://www1.shore.net/~dmoisan/invisible_disability.html
ATS-909 FAQ:  http://www1.shore.net/~dmoisan/faqs/sangean/ats909faq.html


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Re: [unisog] Re: Port 109 Mystery Buck Buchanan (Mar 13)
- Re: [unisog] Re: Port 109 Mystery Harlan Carvey (Mar 13)
- <Possible follow-ups>
- Re: [unisog] Re: Port 109 Mystery David Moisan (Mar 14)
  - RE: [unisog] Re: Port 109 Mystery Patrick R. Sweeney (Mar 16)
    - RE: [unisog] Re: Port 109 Mystery Rob Shein (Mar 16)