Task manager violates security how many ways?

In a Vista Ultimate installation, there are several administrative users and
several standard users. A standard user can press Ctrl+Shift+Esc to invoke
the Task Manager. A standard user can click the Processes tab. So far, so
good.

At the bottom of the Task Manager screen is a button saying "Show processes
from all users". I HAVE NOT CLICKED THIS BUTTON. Intuitively I think that
if I click the button then Vista will prompt with a list of administrative
users, I will have to select one, and I will have to type its password. I
haven't tried it yet.

Task Manager is showing processes owned by Task Manager's owner (a standard
user) AND processes owned by an administrative user. Why?

Here is a link to a screenshot. The user "$B1Q8l%f!<%6(B" is a standard user.
Previously an administrative user installed the English language pack and
this standard user is using it (this part of it is mostly working). The
user "soft1" is an administrative user.
http://www.geocities.jp/hitotsubishi...ed_taskmgr.png

> Task Manager is showing processes owned by Task Manager's owner (a
> standard user) AND processes owned by an administrative user. Why?

I don't understand the problem. Do you mean that a standard user might see
that an administrator was playing Postal2 just before a fast user switch?

While there might be a relationship to issues of confidentiality, I wouldn't
exactly call this a "security violation" unless examining the programs that
another user has running violates a company's policies. In that case, you
can use group policy to prohibit standard users from running Task Manager.

--
David Dickinson
eveningstar at die-spammer-die dash mvps dot org
Please reply only to the newsgroup, not by email.

"Norman Diamond" <ndiamond@community.nospam> wrote in message
news:u0eSVUZrHHA.5028@TK2MSFTNGP05.phx.gbl...
> In a Vista Ultimate installation, there are several administrative users
> and several standard users. A standard user can press Ctrl+Shift+Esc to
> invoke the Task Manager. A standard user can click the Processes tab. So
> far, so good.
>
> At the bottom of the Task Manager screen is a button saying "Show
> processes from all users". I HAVE NOT CLICKED THIS BUTTON. Intuitively I
> think that if I click the button then Vista will prompt with a list of
> administrative users, I will have to select one, and I will have to type
> its password. I haven't tried it yet.

Yes, if you click that button from a standard user account, then it will
request credentials, the password on a admin account, to show all the
processes.

> Task Manager is showing processes owned by Task Manager's owner (a
> standard user) AND processes owned by an administrative user. Why?
>
> Here is a link to a screenshot. The user "$B1Q8l%f!<%6(B" is a standard user.
> Previously an administrative user installed the English language pack and
> this standard user is using it (this part of it is mostly working). The
> user "soft1" is an administrative user.
> http://www.geocities.jp/hitotsubishi...ed_taskmgr.png

That's normal for a standard user. It's not showing all the processes on
the system that one would see by clicking on show processes from all users.

--
Rock [MS-MVP User/Shell]

"David Dickinson" <eveningstar@die-spammer-die.mvps.org> wrote in message
news:uVRQUUarHHA.4740@TK2MSFTNGP02.phx.gbl...
>> Task Manager is showing processes owned by Task Manager's owner (a
>> standard user) AND processes owned by an administrative user. Why?
>
> I don't understand the problem. Do you mean that a standard user might
> see that an administrator was playing Postal2 just before a fast user
> switch?

Well that wasn't my meaning but it's equally good as my meaning. I think
that Task Manager shouldn't show other users' processes unless the user asks
for it, AND that a standard user shouldn't be able to see other users'
processes at all. And I think these two thoughts should be additive not
subtractive ^_^

> While there might be a relationship to issues of confidentiality, I
> wouldn't exactly call this a "security violation"

Consider what kind of user is permitted to run the Event Viewer. Microsoft
seems to have designed security to include viewing as well as changing.

"Rock" <Rock@nospam.net> wrote in message
news:urTrrzarHHA.3276@TK2MSFTNGP04.phx.gbl...
> "Norman Diamond" <ndiamond@community.nospam> wrote in message
> news:u0eSVUZrHHA.5028@TK2MSFTNGP05.phx.gbl...
>> At the bottom of the Task Manager screen is a button saying "Show
>> processes from all users". I HAVE NOT CLICKED THIS BUTTON. Intuitively
>> I think that if I click the button then Vista will prompt with a list of
>> administrative users, I will have to select one, and I will have to type
>> its password. I haven't tried it yet.
>
> Yes, if you click that button from a standard user account, then it will
> request credentials, the password on a admin account, to show all the
> processes.

Thank you for confirming my intuition.

>> Task Manager is showing processes owned by Task Manager's owner (a
>> standard user) AND processes owned by an administrative user. Why?
>
> That's normal for a standard user. It's not showing all the processes on
> the system that one would see by clicking on show processes from all
> users.

Sure it's not showing all, but why is it showing any? I think it shouldn't
show any other users' processes until administrative credentials are input
(especially when the other users' processes are running as admin).

"Norman Diamond" <ndiamond@community.nospam> wrote in message
news:e86Pa$arHHA.1172@TK2MSFTNGP03.phx.gbl...
> "Rock" <Rock@nospam.net> wrote in message
> news:urTrrzarHHA.3276@TK2MSFTNGP04.phx.gbl...
>> "Norman Diamond" <ndiamond@community.nospam> wrote in message
>> news:u0eSVUZrHHA.5028@TK2MSFTNGP05.phx.gbl...
>>> At the bottom of the Task Manager screen is a button saying "Show
>>> processes from all users". I HAVE NOT CLICKED THIS BUTTON. Intuitively
>>> I think that if I click the button then Vista will prompt with a list of
>>> administrative users, I will have to select one, and I will have to type
>>> its password. I haven't tried it yet.
>>
>> Yes, if you click that button from a standard user account, then it will
>> request credentials, the password on a admin account, to show all the
>> processes.
>
> Thank you for confirming my intuition.
>
>>> Task Manager is showing processes owned by Task Manager's owner (a
>>> standard user) AND processes owned by an administrative user. Why?
>>
>> That's normal for a standard user. It's not showing all the processes on
>> the system that one would see by clicking on show processes from all
>> users.
>
> Sure it's not showing all, but why is it showing any? I think it
> shouldn't show any other users' processes until administrative credentials
> are input (especially when the other users' processes are running as
> admin).

The additional processes you are seeing are system processes that are
running in the current users context.

"Seth" <seth_lermanNOSPAM@hotmail.com> wrote in message
news:SY_bi.26$Wr7.16@newsfe12.lga...
> "Norman Diamond" <ndiamond@community.nospam> wrote in message
> news:e86Pa$arHHA.1172@TK2MSFTNGP03.phx.gbl...
>> "Rock" <Rock@nospam.net> wrote in message
>> news:urTrrzarHHA.3276@TK2MSFTNGP04.phx.gbl...
>>> "Norman Diamond" <ndiamond@community.nospam> wrote in message
>>> news:u0eSVUZrHHA.5028@TK2MSFTNGP05.phx.gbl...
>>>> At the bottom of the Task Manager screen is a button saying "Show
>>>> processes from all users". I HAVE NOT CLICKED THIS BUTTON.
>>>>
>>>> Task Manager is showing processes owned by Task Manager's owner (a
>>>> standard user) AND processes owned by an administrative user. Why?
>>>
>>> That's normal for a standard user. It's not showing all the processes
>>> on the system that one would see by clicking on show processes from all
>>> users.
>>
>> Sure it's not showing all, but why is it showing any? I think it
>> shouldn't show any other users' processes until administrative
>> credentials are input (especially when the other users' processes are
>> running as admin).
>
> The additional processes you are seeing are system processes that are
> running in the current users context.

As shown in the screenshot, the additional processes are not system
processes and they are not running in the current user's context.
http://www.geocities.jp/hitotsubishi...ed_taskmgr.png
Administrative user "soft1" is running user process "cmd.exe" in the context
of user "soft1". I can type input into that window. I still wonder why
standard user "$B1Q8l%f!<%6(B" was able to see processes owned by "soft1".

(For example, after posting, I typed the command line "taskmgr" and got a
second Task Manager window. As expected, the second one was owned by user
"soft1" instead of "$B1Q8l%f!<%6(B". As expected, that one did show system
processes. As expected, system processes were owned by user SYSTEM or LOCAL
SERVICE or NETWORK SERVICE.)

"Norman Diamond" <ndiamond@community.nospam> wrote in message
news:Ook6JturHHA.1296@TK2MSFTNGP06.phx.gbl...
> "Seth" <seth_lermanNOSPAM@hotmail.com> wrote in message
> news:SY_bi.26$Wr7.16@newsfe12.lga...
>> "Norman Diamond" <ndiamond@community.nospam> wrote in message
>> news:e86Pa$arHHA.1172@TK2MSFTNGP03.phx.gbl...
>>> "Rock" <Rock@nospam.net> wrote in message
>>> news:urTrrzarHHA.3276@TK2MSFTNGP04.phx.gbl...
>>>> "Norman Diamond" <ndiamond@community.nospam> wrote in message
>>>> news:u0eSVUZrHHA.5028@TK2MSFTNGP05.phx.gbl...
>>>>> At the bottom of the Task Manager screen is a button saying "Show
>>>>> processes from all users". I HAVE NOT CLICKED THIS BUTTON.
>>>>>
>>>>> Task Manager is showing processes owned by Task Manager's owner (a
>>>>> standard user) AND processes owned by an administrative user. Why?
>>>>
>>>> That's normal for a standard user. It's not showing all the processes
>>>> on the system that one would see by clicking on show processes from all
>>>> users.
>>>
>>> Sure it's not showing all, but why is it showing any? I think it
>>> shouldn't show any other users' processes until administrative
>>> credentials are input (especially when the other users' processes are
>>> running as admin).
>>
>> The additional processes you are seeing are system processes that are
>> running in the current users context.
>
> As shown in the screenshot, the additional processes are not system
> processes and they are not running in the current user's context.
> http://www.geocities.jp/hitotsubishi...ed_taskmgr.png
> Administrative user "soft1" is running user process "cmd.exe" in the
> context of user "soft1". I can type input into that window. I still
> wonder why standard user "$B1Q8l%f!<%6(B" was able to see processes owned by
> "soft1".

But yoiu don't specify "how" those processes were launched. Are they
showing up form a previous WIndows session where they were launched and then
you "switched" users? Or were they run using "RunAs" from within the
current user context?

> (For example, after posting, I typed the command line "taskmgr" and got a
> second Task Manager window. As expected, the second one was owned by user
> "soft1" instead of "$B1Q8l%f!<%6(B". As expected, that one did show system
> processes. As expected, system processes were owned by user SYSTEM or
> LOCAL SERVICE or NETWORK SERVICE.)

Norman Diamond wrote:
> "Seth" <seth_lermanNOSPAM@hotmail.com> wrote in message
> news:SY_bi.26$Wr7.16@newsfe12.lga...
>> "Norman Diamond" <ndiamond@community.nospam> wrote in message
>> news:e86Pa$arHHA.1172@TK2MSFTNGP03.phx.gbl...
>>> "Rock" <Rock@nospam.net> wrote in message
>>> news:urTrrzarHHA.3276@TK2MSFTNGP04.phx.gbl...
>>>> "Norman Diamond" <ndiamond@community.nospam> wrote in message
>>>> news:u0eSVUZrHHA.5028@TK2MSFTNGP05.phx.gbl...
>>>>> At the bottom of the Task Manager screen is a button saying "Show
>>>>> processes from all users". I HAVE NOT CLICKED THIS BUTTON.
>>>>>
>>>>> Task Manager is showing processes owned by Task Manager's owner (a
>>>>> standard user) AND processes owned by an administrative user. Why?
>>>>
>>>> That's normal for a standard user. It's not showing all the
>>>> processes on the system that one would see by clicking on show
>>>> processes from all users.
>>>
>>> Sure it's not showing all, but why is it showing any? I think it
>>> shouldn't show any other users' processes until administrative
>>> credentials are input (especially when the other users' processes are
>>> running as admin).
>>
>> The additional processes you are seeing are system processes that are
>> running in the current users context.
>
> As shown in the screenshot, the additional processes are not system
> processes and they are not running in the current user's context.
> http://www.geocities.jp/hitotsubishi...ed_taskmgr.png
> Administrative user "soft1" is running user process "cmd.exe" in the
> context of user "soft1".

I doubt that. I suspect that "soft1" is running cmd.exe in the context
of "Administrators", which all users can see.

Alun Harford

"Seth" <seth_lermanNOSPAM@hotmail.com> wrote in message
news:%uNdi.74$QA2.28@newsfe12.lga...
> "Norman Diamond" <ndiamond@community.nospam> wrote in message
> news:Ook6JturHHA.1296@TK2MSFTNGP06.phx.gbl...
>> "Seth" <seth_lermanNOSPAM@hotmail.com> wrote in message
>> news:SY_bi.26$Wr7.16@newsfe12.lga...
>>> "Norman Diamond" <ndiamond@community.nospam> wrote in message
>>> news:e86Pa$arHHA.1172@TK2MSFTNGP03.phx.gbl...
>>>> "Rock" <Rock@nospam.net> wrote in message
>>>> news:urTrrzarHHA.3276@TK2MSFTNGP04.phx.gbl...
>>>>> "Norman Diamond" <ndiamond@community.nospam> wrote in message
>>>>> news:u0eSVUZrHHA.5028@TK2MSFTNGP05.phx.gbl...
>>>>>> At the bottom of the Task Manager screen is a button saying "Show
>>>>>> processes from all users". I HAVE NOT CLICKED THIS BUTTON.
>>>>>> Task Manager is showing processes owned by Task Manager's owner (a
>>>>>> standard user) AND processes owned by an administrative user. Why?
>>>>>
>>>>> That's normal for a standard user. It's not showing all the processes
>>>>> on the system that one would see by clicking on show processes from
>>>>> all users.
>>>>
>>>> Sure it's not showing all, but why is it showing any? I think it
>>>> shouldn't show any other users' processes until administrative
>>>> credentials are input (especially when the other users' processes are
>>>> running as admin).
>>>
>>> The additional processes you are seeing are system processes that are
>>> running in the current users context.
>>
>> As shown in the screenshot, the additional processes are not system
>> processes and they are not running in the current user's context.
>> http://www.geocities.jp/hitotsubishi...ed_taskmgr.png
>> Administrative user "soft1" is running user process "cmd.exe" in the
>> context of user "soft1". I can type input into that window. I still
>> wonder why standard user "$B1Q8l%f!<%6(B" was able to see processes owned by
>> "soft1".
>
> But yoiu don't specify "how" those processes were launched. Are they
> showing up form a previous WIndows session where they were launched and
> then you "switched" users? Or were they run using "RunAs" from within the
> current user context?

cmd.exe was launched using Vista's equivalent of "RunAs". That command
window and any programs started from that command window operate in the
context of user "soft1" not user "$B1Q8l%f!<%6(B". I still don't see why it is
considered acceptable for an instance of taskmgr.exe which is running in the
context of standard user "$B1Q8l%f!<%6(B" to display any of the tasks which run
in the context of a user other than "$B1Q8l%f!<%6(B".

(In contrast when another instance of taskmgr.exe was started by
administrative user "soft1" and that privileged instance showed everything,
that seemed reasonable to me.)