Why can't you launch Task Manager when on the Windows secure desktop (logon/lock screen)?
Imagine if that were possible. Since there is usually no user logged on when you're at the logon screen, any programs running are running as NT AUTHORITY\SYSTEM, the full-power local system account which is more powerful than any administrator. If a process spawns another process, the new process inherits the owner and elevatedness of the old. Basically, you've given full control of the computer to whoever walked up to the lock screen because Task Manager has that "New Task" menu option.
Why not restrict the process-creating abilities of Task Manager when it's on the logon screen? Because it would still have the authority to kill any task, and that's kind of the entire point of having Task Manager. (Similar reasoning can be applied to the proposition of having it run as NT AUTHORITY\ANONYMOUS).
Most importantly, if you're on the logon screen, you haven't logged in to run any programs. If you're a computer administrator, you can log in even when other users have locked the machine and create a super awesome elevated Task Manager from there.
No comments:
Post a Comment