8

Ctrl+Alt+Del is a secure attention sequence (Microsoft) (or secure attention key (Wikipedia), but it's more a Linux term).

As we can read,

A key sequence that begins the process of logging on or off. The default sequence is CTRL+ALT+DEL.

it is only the default sequence, which means that other sequences might exist. In an answer to a related question, we can read that Win+Pwr is also a SAS, at least on some devices.

I've been using Win+L to lock my desktop, since I find it easier to use, and I even recommend that to other people. For my own research, this combination cannot be registered as a hotkey either. But: I have no official documentation on it.

Why do I even care? If it's not a SAS, the key combination could be hooked (likely by a non-privileged application) and someone could show a fake login dialog on which I would then enter my password.

So, is Win+L a secure attention sequence?

I have seen previously linked questions and

  • How does CTRL-ALT-DEL to log in make Windows more secure? (ServerFault)
  • some code from 2010 where it might have been possible to bypass the combination, but it does no longer work on Windows 10 20H2
  • the flag LLKHF_INJECTED in KBDLLHOOKSTRUCT, which makes me believe that Windows can distinguish between physical and simulated keypresses, explaining why the code might not work any more
  • I am aware of the Registry key DisableLockWorkstation in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System, but that would affect Ctrl+Alt+Del as well
Thomas Weller
  • 3,366
  • 3
  • 22
  • 40
  • 1
    What is the consequence if it is or is not a secure attention sequence? – schroeder Apr 13 '21 at 07:47
  • 3
    [Microsoft groups `Win+L` along with `Ctrl+Alt+Del` and `Ctrl+Shift+Esc` as 'predefined key combinations for OS security'](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/predefined-key-combinations#security-keys). I can't find any reference that says that these are all SASs though. – nobody Apr 13 '21 at 08:00
  • @schroeder: if it's not a SAS, the key combination could be hooked (likely by a non-privileged application) and someone could show a fake login dialog on which I would enter my password. – Thomas Weller Apr 13 '21 at 08:00
  • So your question is really specific about it being a secure attention sequence, but your real query is broader than that. You don't care if it is a a secure attention sequence, you want it to be reserved. And as nobody points out, that search is easier to carry out. – schroeder Apr 13 '21 at 08:08
  • @schroeder: I think you're right. My main concern is: I want it to be reserved. – Thomas Weller Apr 13 '21 at 08:26
  • Does Windows currently intend to offer realistic security against an attacker that can run a local app, even unprivileged? – Nat Apr 14 '21 at 00:53
  • Just to note an alternative to hooking Win+L: a malicious app might spoof an automatic-time-out lock after noticing the user idle. Perhaps even jiggle the mouse a pixel or so every now-and-then to prevent an actual idle-lock. – Nat Apr 14 '21 at 00:56
  • @Nat: you can press Win+L before entering your password to make sure you're on the correct login screen. - Well, maybe. That's what the question is about. – Thomas Weller Apr 14 '21 at 07:24
  • 1
    @ThomasWeller It appears my current answer is completely wrong, perhaps because I messed something up while testing it. Can you unaccept it so I can delete it while I figure out what I did wrong while testing it? – nobody Jun 11 '21 at 11:35
  • @nobody: thanks for notifying me – Thomas Weller Jun 11 '21 at 13:18

1 Answers1

3

Answer is quite simple Win+L is not a sas and it does not need to be. It is used for locking the device.

There is a group policy to control the sas for triggering the login. You may set it so the CTRL+ALT+DEL is required for every login independently of how the station got locked, be it via shortcut, time-out or any other way, after all locked state is locked. Assuming that you require sas upon login there is no need to verify the locking sequence. Malicious software can be written in many different ways so overengineering protection for one feature does not make much sense. Screen overlay could be used to capture the click map used for locking the station from Windows context menu as an example. This is why it is much smarter to require sas on login.

There is whole different debate about users actually noticing the difference on systems that require sas and on those that don't.

It is worth noting that the policy is disabled by default due to wide use of touchscreen devices and overall bad user experience, so it must be activated to be used.

nethero
  • 492
  • 2
  • 6