invisible processes

Vista should not make it possible for a process to stay invisible;
Either improve the Task Manager, fix the base process-enumeration APIs, or drop any mention of "security" from the hype.

I totally agree with you - the one way I tell if a virus or malware is on a system is to check in Task Manager. You can normally spot them because of the way they act, low RAM usage but higher CPU usage and the name of the process in general, and if the Task Manager continues to be the way it is and hide processes, it'll be harder and harder to track things like viruses.
You see, OK Vista has Defender installed and running by default, but that only picks up the lower-end-of-the-scale-malware, spyware and stuff. However if you have an actual virus, there'll be no way of getting rid of it unless you have an anti-virus installed... it just makes more sense to have everything show up so I totally agree with you.
-- Zack Whittaker Microsoft Beta (Windows Server R2 Beta Mentor) » ZackNET Enterprises: www.zacknet.co.uk » MSBlog on ResDev: http://msblog.resdev.net » ZackNET Forum: www.zacknet.co.uk/forum » VistaBase: www.zacknet.co.uk/vistabase » This mailing is provided "as is" with no warranties, and confers no rights. All opinions expressed are those of myself unless stated so, and not of my employer, best friend, mother or cat. Let's be clear on that one!
--- Original message follows --- "Adahn" wrote in message

Vista should not make it possible for a process to stay invisible;
Either improve the Task Manager, fix the base process-enumeration APIs, or drop any mention of "security" from the hype.

"You can normally spot them because of the way they act, low RAM usage but higher CPU usage and the name of the process in general, and if the Task Manager continues to be the way it is and hide processes, it'll be harder and harder to track things like viruses."
So much for Vista being "security"...
-- Nicholas...
"Overclock Your Life, Then The World"

Also task manager needs to show when the executable file is located.

"Adahn" wrote in message

Vista should not make it possible for a process to stay invisible;
Either improve the Task Manager, fix the base process-enumeration APIs, or drop any mention of "security" from the hype.

I am not sure what you mean. If you are talking about the ability of maleware to infect the kernel to hide itself, then 64bit XP and Vista has what is called PatchGuard. This prevents malware (actually anybody for that matter) from hooking any of the kernel tables like SSDT and IDT and also the in-memory image of the kernel. This will make it very hard for malware to hide itself.
Soumik.

On Sat, 11 Mar 2006 20:34:54 -0800, Adahn wrote:

Vista should not make it possible for a process to stay invisible;
Either improve the Task Manager, fix the base process-enumeration APIs, or drop any mention of "security" from the hype.

-- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Thanks Zack, help get this issue out to MS will you, here's the details;
I never paid much thought to "root-kits" and the like until I decided to try Maple Story (www.mapleglobal.com) under build 5270, as it had previously resulted in BSODs and worse under 5219.
Now, during installation or the first-run, Windows Defender reports a new service: \system32\npptNT2.sys
even if you elect to Block it, once the game runs you can find no traces of it in any system monitoring tool...
Now this raises several issues;
1: It's all good that the Defender picked it up, but shouldn't it be handled at the core/kernel level, to make it impossible for a process to stay invisible?
2: If we're too aggressive in blocking such behavior, it'll obviously break the program and prevent it from running at all, of course, but with all that talk of Virtualisation and whatnot in Vista, shouldn't the OS be able to just "lie" and assure the process that it has been hidden?
3: As an online game that uses live cash transactions, Maple Story has every right to prevent hacking in any ways that it can, but what's to keep malicious apps, or even Microsoft themselves for that matter, to inject invisible processes into your system?
4: If, has others have mention on these forums, third-party tools are able to detect and report invisible apps, why not Task Manager itself?

I just want to add that rootkits cannot be installed on x64 systems.
"Adahn" wrote in message

Thanks Zack, help get this issue out to MS will you, here's the details;
I never paid much thought to "root-kits" and the like until I decided to try Maple Story (www.mapleglobal.com) under build 5270, as it had previously resulted in BSODs and worse under 5219.
Now, during installation or the first-run, Windows Defender reports a new service: \system32\npptNT2.sys
even if you elect to Block it, once the game runs you can find no traces of it in any system monitoring tool...
Now this raises several issues;
1: It's all good that the Defender picked it up, but shouldn't it be handled at the core/kernel level, to make it impossible for a process to stay invisible?
2: If we're too aggressive in blocking such behavior, it'll obviously break the program and prevent it from running at all, of course, but with all that talk of Virtualisation and whatnot in Vista, shouldn't the OS be able to just "lie" and assure the process that it has been hidden?
3: As an online game that uses live cash transactions, Maple Story has every right to prevent hacking in any ways that it can, but what's to keep malicious apps, or even Microsoft themselves for that matter, to inject invisible processes into your system?
4: If, has others have mention on these forums, third-party tools are able to detect and report invisible apps, why not Task Manager itself?

Yet. Never underestimate the hoodlums. -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Howard" a écrit dans le message de news: uwuBeS%23RGHA.1160@TK2MSFTNGP09.phx.gbl... |I just want to add that rootkits cannot be installed on x64 systems.

In article , "Howard" wrote:

I just want to add that rootkits cannot be installed on x64 systems.

Never mistake "has not" for "cannot".
As pointed out by Microsoft Research in their "Virtual Rootkit" paper (my take is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you can always insert a rootkit between the BIOS and the OS. Since any non-quantum computer can be emulated by any other non-quantum computer to any degree of accuracy, there is always a way to do this, as long as you can get the darn thing past the requirement of needing administrative access.
Sadly, buying an x64 processor doesn't get rid of the most frequent cause of inadvertent running-as-admin, also known as Layer 8 of the OSI stack. Yes, while your processor may have doubled in bits, the person running it is still the same two-bit hack he's always been, and will gladly give up his administrator password in return for a chance at a glimpse of the dancing pigs.
Alun. ~~~~
[Please don't email posters, if a Usenet response is appropriate.] -- Texas Imperial Software | Find us at http://www.wftpd.com or email 23921 57th Ave SE | alun@wftpd.com. Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
"Alun Jones" wrote in message

In article , "Howard" howdy0909@yahoo.com> wrote: I just want to add that rootkits cannot be installed on x64 systems.
Never mistake "has not" for "cannot".
As pointed out by Microsoft Research in their "Virtual Rootkit" paper (my take is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you can always insert a rootkit between the BIOS and the OS. Since any non-quantum computer can be emulated by any other non-quantum computer to any degree of accuracy, there is always a way to do this, as long as you can get the darn thing past the requirement of needing administrative access.
Sadly, buying an x64 processor doesn't get rid of the most frequent cause of inadvertent running-as-admin, also known as Layer 8 of the OSI stack. Yes, while your processor may have doubled in bits, the person running it is still the same two-bit hack he's always been, and will gladly give up his administrator password in return for a chance at a glimpse of the dancing pigs.
Alun. ~~~~
[Please don't email posters, if a Usenet response is appropriate.] -- Texas Imperial Software | Find us at http://www.wftpd.com or email 23921 57th Ave SE | alun@wftpd.com. Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

while your processor may have doubled in bits, the person running it is still the same two-bit hack he's always been, and will gladly give up his administrator password in return for a chance at a glimpse of the dancing pigs.

LOL?!??

Wonderful. How about we all post a random link to some page at Microsoft - or are you suggesting that this page either supports or debunks my statements? If that's what you intended, perhaps you can give some explanation?
Alun. ~~~~
"Howard" wrote:

http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
"Alun Jones" wrote in message In article , "Howard" howdy0909@yahoo.com> wrote: I just want to add that rootkits cannot be installed on x64 systems.
Never mistake "has not" for "cannot".
As pointed out by Microsoft Research in their "Virtual Rootkit" paper (my take is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you can always insert a rootkit between the BIOS and the OS. Since any non-quantum computer can be emulated by any other non-quantum computer to any degree of accuracy, there is always a way to do this, as long as you can get the darn thing past the requirement of needing administrative access.
Sadly, buying an x64 processor doesn't get rid of the most frequent cause of inadvertent running-as-admin, also known as Layer 8 of the OSI stack. Yes, while your processor may have doubled in bits, the person running it is still the same two-bit hack he's always been, and will gladly give up his administrator password in return for a chance at a glimpse of the dancing pigs.
Alun. ~~~~
[Please don't email posters, if a Usenet response is appropriate.] -- Texas Imperial Software | Find us at http://www.wftpd.com or email 23921 57th Ave SE | alun@wftpd.com. Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Ok. I should have been more careful not to use that word. I agree no system is 100% secure. From what I understand most rootkits are patches to the kernel. By disabling that feature in x64 operating systems makes them more secure and less vulnerable to existing malwares.

Just curious, how are quantum computers different? They are still designed by humans and prone to have mistakes.

Howard

"Alun Jones" wrote in message

Wonderful. How about we all post a random link to some page at Microsoft - or are you suggesting that this page either supports or debunks my statements? If that's what you intended, perhaps you can give some explanation?
Alun. ~~~~
"Howard" wrote:
http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
"Alun Jones" wrote in message In article , "Howard" howdy0909@yahoo.com> wrote: I just want to add that rootkits cannot be installed on x64 systems.
Never mistake "has not" for "cannot".
As pointed out by Microsoft Research in their "Virtual Rootkit" paper (my take is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you can always insert a rootkit between the BIOS and the OS. Since any non-quantum computer can be emulated by any other non-quantum computer to any degree of accuracy, there is always a way to do this, as long as you can get the darn thing past the requirement of needing administrative access.
Sadly, buying an x64 processor doesn't get rid of the most frequent cause of inadvertent running-as-admin, also known as Layer 8 of the OSI stack. Yes, while your processor may have doubled in bits, the person running it is still the same two-bit hack he's always been, and will gladly give up his administrator password in return for a chance at a glimpse of the dancing pigs.
Alun. ~~~~
[Please don't email posters, if a Usenet response is appropriate.] -- Texas Imperial Software | Find us at http://www.wftpd.com or email 23921 57th Ave SE | alun@wftpd.com. Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Just curious, how are quantum computers different? They are still designed by humans and prone to have mistakes.

and they tend to come up with "42" as the answer to most stuff, for some strange reason

But, they come up with the answer even when they're not turned on... (sorry, I can't locate the link, but it's *not* a joke) -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Adahn" a écrit dans le message de news: %23gXo1tqSGHA.2276@tk2msftngp13.phx.gbl... |> Just curious, how are quantum computers different? They are still designed | > by humans and prone to have mistakes. | | and they tend to come up with "42" as the answer to most stuff, for some | strange reason |

LOL - it's because in the book "The Hitchikers Guide to the Universe"... long story short, these guys on a seperate planet wanted to know "the answer to life, the universe and everything". However, the computer took a few million years to work it out...
"You're not going to like it... there wasn't much to go on, but the answer I've come up with... is 42."
Also to prove the point, Google has this also: http://www.google.co.uk/search?hl=en&q=the+answer+to+life%2C+the+universe+and+everything&meta=
-- Zack Whittaker » ZackNET Enterprises: www.zacknet.co.uk » MSBlog on ResDev: www.msblog.org » Vista Knowledge Base: www.vistabase.co.uk » This mailing is provided "as is" with no warranties, and confers no rights. All opinions expressed are those of myself unless stated so, and not of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up!
--- Original message follows --- "Pierre Szwarc" wrote in message

But, they come up with the answer even when they're not turned on... (sorry, I can't locate the link, but it's *not* a joke) -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Adahn" a écrit dans le message de news: %23gXo1tqSGHA.2276@tk2msftngp13.phx.gbl... |> Just curious, how are quantum computers different? They are still designed | > by humans and prone to have mistakes. | | and they tend to come up with "42" as the answer to most stuff, for some | strange reason |

Thanks for all the fish, but I did spot the reference <g> However, the fact that an Italian team did manage to get results out of a quantum computer that wasn't turned on remains... I even remember the remark from one of the researchers, "you get fewer mistakes from a computer that's not running" <lol> -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Zack Whittaker (R2 Mentor)" a écrit dans le message de news: eOirIzsSGHA.5900@tk2msftngp13.phx.gbl... | LOL - it's because in the book "The Hitchikers Guide to the Universe"... | long story short, these guys on a seperate planet wanted to know "the answer | to life, the universe and everything". However, the computer took a few | million years to work it out... | | "You're not going to like it... there wasn't much to go on, but the answer | I've come up with... is 42." | | Also to prove the point, Google has this also: | http://www.google.co.uk/search?hl=en&q=the+answer+to+life%2C+the+universe+and+everything&meta= |

Thanks for all the fish, but I did spot the reference <g> However, the fact that an Italian team did manage to get results out of a quantum computer that wasn't turned on remains... I even remember the remark from one of the researchers, "you get fewer mistakes from a computer that's not running" lol

Good.. first invisible processes now undead computers
just adopt some stylized pentagram in place of the Windows Flag and we can have the sequel to Fear.com

Thanks for all the fish, but I did spot the reference <g> However, the fact that an Italian team did manage to get results out of a quantum computer that wasn't turned on remains... I even remember the remark from one of the researchers, "you get fewer mistakes from a computer that's not running" lol

Good.. first invisible processes now undead computers
just adopt some stylized pentagram in place of the Windows Flag and we can have the sequel to Fear.com

Thanks for all the fish, but I did spot the reference <g> However, the fact that an Italian team did manage to get results out of a quantum computer that wasn't turned on remains... I even remember the remark from one of the researchers, "you get fewer mistakes from a computer that's not running" lol

Good.. first invisible processes now undead computers
just adopt some stylized pentagram in place of the Windows Flag and we can have the sequel to Fear.com

Dude, you need to get your Windows Mail sorted ;o)
-- Zack Whittaker » ZackNET Enterprises: www.zacknet.co.uk » MSBlog on ResDev: www.msblog.org » Vista Knowledge Base: www.vistabase.co.uk » This mailing is provided "as is" with no warranties, and confers no rights. All opinions expressed are those of myself unless stated so, and not of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up!
--- Original message follows --- "Adahn" wrote in message

Thanks for all the fish, but I did spot the reference <g> However, the fact that an Italian team did manage to get results out of a quantum computer that wasn't turned on remains... I even remember the remark from one of the researchers, "you get fewer mistakes from a computer that's not running" lol
Good.. first invisible processes now undead computers
just adopt some stylized pentagram in place of the Windows Flag and we can have the sequel to Fear.com

and now digital dopplegangers. perfect
"Zack Whittaker (R2 Mentor)" wrote in message > Dude, you need to get your Windows Mail sorted ;o)

and now digital dopplegangers. perfect
"Zack Whittaker (R2 Mentor)" wrote in message > Dude, you need to get your Windows Mail sorted ;o)