Why is Control-Alt-Delete the secure attention sequence (SAS)?


When we were designing NT 3.1, one of the issues that came up fairly early was the secure attention sequence – we needed to have a keystroke sequence that couldn’t be intercepted by any application.

So the security architect for NT (Jim Kelly) went looking for a keystroke sequence he could use.

 

It turned out that the only keystroke combination that wasn’t already being used by a shipping application was control-alt-del, because that was used to reboot the computer.

And thus was born the Control-Alt-Del to log in.

I’ve got to say that the first time that the logon dialog went into the system, I pressed it with a fair amount of trepidation – I’d been well trained that C-A-D rebooted the computer and….

 

Comments (48)

  1. Anonymous says:

    The first time I saw NT 3.5, I thought someone had customised the logon screen as a joke, sort of like those people on IRC who tell you to press ALT-F4 to fix a problem.

  2. Anonymous says:

    I thought the Alt-Crtl-Del was "invented" by an IBM-er?

  3. Anonymous says:

    Out of interest, who was responsible for making the BSOD blue? Why is it still blue?

  4. Anonymous says:

    > It turned out that the only keystroke

    > combination that wasn’t already being

    > used by a shipping application was

    > control-alt-del,

    Fine, that makes it a reasonable choice for some purposes. But let’s back up and see what the purpose was?

    > So the security architect for NT (Jim Kelly)

    > went looking for a keystroke sequence he

    > could use.

    From where comes the inference that the then-absence of other uses makes it secure? I’m perfectly willing to believe that some of the games that I’ve played weren’t shipping yet when NT 3.1 was designed, but that sequence of historical events doesn’t stop the games from gobbling up ctrl-alt-delete. Surely any writer of Trojan-style fake login screens or other stuff could also eat the same ctrl-alt-delete and display whatever they want?

  5. Anonymous says:

    A Shipping Application? From MS? If it wasn’t from MS, why did you guys care if it was used? Why not CTRL-ALT-SPACE? Who was using that? DEL is so far away from CTRL-ALT.

  6. Anonymous says:

    Yeah, an IBM guy came up with CTRL-ALT-DEL as the reboot sequence. But we coopted it because no existing application was using it.

    No existing DOS application would use CTRL-ALT-DEL in the application because of the rather obvious problems it would introduce (users expected that C-A-D would reboot the machine, and if it didn’t reboot the machine, they would be upset).

    Sushant,

    You’re new here, aren’t you? You’ve never read my blog or Raymond Chen’s (http://weblogs.asp.net/oldnewthing) blog and seen the herculean efforts that Microsoft expends to ensure that apps continue to work on our platforms. Here’s a hint: With very, very few exceptions, Windows doesn’t break apps across platform upgrades.

    Some app used CTRL-ALT-SPACE for something – I don’t know which app, but it was used. So were all the other CTRL-ALT combinations, and the CTRL-ALT-SHIFT, etc.

    Mr. Blobby, actually, I believe it’s because a lot of developers (myself included) find looking at white text on a blue background to be highly readable, so when it came time to pick a color scheme, that’s what came out. I know others find black text on a white background to be cool, but…

  7. Anonymous says:

    Hi Larry. Thanks for responding. While I do recognize the effort that MS goes to in order to allow backward compatibility, as a designer, does this come at a cost of an effective or efficient design? What makes a designer say, lets keep with the old because apps depend on it, versus, lets create a design that will most likely be used by millions of people maybe every day (I guess hindsight is always 20/20) 🙂 But I hope you see that I’m not trying to belittle your efforts, just trying to understand what an experienced developer would say.

  8. Anonymous says:

    Hi Larry. Thanks for responding. While I do recognize the effort that MS goes to in order to allow backward compatibility, as a designer, does this come at a cost of an effective or efficient design? What makes a designer say, lets keep with the old because apps depend on it, versus, lets create a design that will most likely be used by millions of people maybe every day (I guess hindsight is always 20/20) 🙂 But I hope you see that I’m not trying to belittle your efforts, just trying to understand what an experienced developer would say.

  9. Anonymous says:

    Sorry, I think I hit the button twice in a row. Didn’t mean to.

  10. Anonymous says:

    By the way, BSOD colors can be changed somewhere in the regitry… At least on Win 9x it was so.

  11. Anonymous says:

    Sushant

    Windows gives the key to the application not vice versa. Any key is as good as any other. But MS choose it as the one key they could refuse to pass on to applications.

    Larry and others

    My blue colour gun went and I didn’t notice (your eyes adapt) and I was convinced that one change in Win 2000 was black screen crashes. I thought Microsoft’s Marketing was up to no good trying to eradicate the phrase blue screen from the language. I felt stupid when I bought a new monitor.

  12. Anonymous says:

    Sushant,

    The simple answer is that it’s irrelevant whether it comes at a cost of an effective or efficient design.

    The reality is that Windows is a platform for running applications. If the applications stop running (because we made the platform "more efficient"), then people will stop using the platform.

    So compatibility is job 1. If a redesign can’t be done without ensuring compatibility, then the new design needs to change. I personally think of it as an "opportunity to excel"

  13. Anonymous says:

    "From where comes the inference that the then-absence of other uses makes it secure?"

    No such inference was drawn. The security does not derive from its prior non-use.

    What makes it secure is that the OS traps this key sequence in a way that makes it impossible for anything not in the Trusted Computing Base to handle it.

    That part, the part that makes it secure, is orthogonal the choice of which particular key sequence they chose to trap in this way. They could have chosen anything. For example, they could have used, say, Ctrl-SysRq. Arguably that would have made sense of the fact that that key had had SysRq printed on it for no obvious reason all these years.

    But if they had done that, this would have prevented applications that actually did something with that key sequence from working. If backwards compatibility is a goal (and it was) then Ctrl-SysRq is no better than choosing, say, the E key as the sequence…

    They had to chose a key sequence that wasn’t already in use if they were to avoid breaking existing applications. Since Ctrl-Alt-Del had been the reboot sequence since the dawn of time, arguably no sane development team would choose to use it to do anything important. Which of course is exactly what the NT team promptly did. 😉 (For the benefit of the irony-impaired, who seem to be particularly active in blog comments, I’d like to point out that that last sentence was in jest.)

    Once they had chosen the key sequence, the thing that made that choice secure was the implementation of their decision to secure it.

  14. Anonymous says:

    Larry, I think I understand the design philosophy a bit better now that you have elaborated. I think that Apple does give different weightings to compatibility vs effective or efficient design vs MS. From my little experience with apples products, backward compatibility isn’t really a priority. Would you agree? Is that why their products weren’t able to capture the market as well as MS in the early days?

  15. Anonymous says:

    I thought the point was that only C-A-D generates a hardware interrupt that the OS can trap. Something else does like ctrl-alt-space would not generate such an interrupt and so a trojan could fake the login screen.

    Is this not correct?

  16. Anonymous says:

    G. Man, Ian just about nailed what the SAS is about – it’s not that the hardware is special, but instead no application can fake a control-alt-del sequence.

    And thus you can’t write a trojan logon dialog – all the user has to do is to type C-A-D and get the real one.

    Sushant, it’s my understanding that Apple’s less concerned with slavish backwards compatibility – they’re willing to break applications in favor of new designs.

  17. Anonymous says:

    > I thought the point was that only C-A-D generates a hardware interrupt that the OS can trap. Something else does like ctrl-alt-space would not generate such an interrupt and so a trojan could fake the login screen. Is this not correct?

    No. Under NT, userland applications don’t have direct access to the hardware at all (unlike in DOS, where the fact that it *is* a hardware interrupt came into play).

    Everything an application gets, it gets because the kernel gave it to them. Since the kernel sees it first, it can perform any filtering on it that it wishes. There is no *technical* reason that the SAS is C-A-D. The NT kernel could just as easily and securely trap Ctrl+SysRq and not pass it on to applications. (In fact, this is the case with NT on Alpha — the sequence has *no* special meaning on that hardware, yet remains just as secure.)

    As mentioned, C-A-D was chosen solely to avoid regressions; since it was the least likely key combination that an application would be looking for.

  18. Anonymous says:

    Larry, isn’t there a DirectX flag these days to inhibit C-A-D? I remember playing around with it and naturally locking everything up. I don’t remember if it might have been in 9x, though.

  19. Anonymous says:

    CN: There might be for Win9x, but there certainly isn’t for WinNT. If there was, it’d be a massive security hole – the SAS has to be guaranteed to prevent spoofing the logon dialog.

  20. Anonymous says:

    It’s no longer the case, apple changed, but in the past,

    MS – Software compatability – all old programs run.

    Apple – Hardware compatability – all new programs run on old hardware (even if it took 20 minutes to startup the app).

  21. Anonymous says:

    This ‘slavish compatibility’ has failed somewhat for XP SP2 – you finally decided to make security come first. From various MSDN blogs I get the impression that the attitude was ‘if we must break it, let’s break everything once’.

    However, Joel Spolsky seems to think that the problem is deeper – that the compatibility camp in MS has been outweighed by the new products camp.

    What you are saying (I think) is that MS will try not to break compatibility, even in Longhorn. How far will this go? Will security concerns still trump compatibility, as with SP2?

    I take it that you don’t share the same concern, or feel the same sense of loss, about breaking compatibility with open-source software 😉

  22. Anonymous says:

    There will be one thing that will break a lot of compatibility: 64-bit Windows doesn’t alow 16-bit Windows apps. Didn’t Gates demonstrate DOS VisiCalc running on Longhorn? There’s going to be a lot of 16-bit apps (e.g. old games) that won’t work anymore once 64-bit becomes mainstream.

    Microsoft could integrate Virtual PC into the OS in some fashion in order to allow 16-bit apps to run.

  23. Anonymous says:

    Jonathan’s right, 64 bit windows removes the DOS subsystem. And I’m not sure that it’s the right decision – there are a number of x32 apps out there that still use 16bit setup technologies.

    And the server platforms have removed support for Posix and OS/2.

    It’ll be interesting to see if the 16bit removal decision sticks.

  24. Anonymous says:

    Mr Blobby: That’s actually gray. We’ve changed from "Every application must run" to "Every application must run unless running it would mean opening up a security hole".

    That’s actually not a huge difference.

    And I respectfully disagree with Joel on this one – he’s referring to the public face of Microsoft’s tools development organization (MSDN Magazine, etc). Those organizations are all about all about selling development tools, thus they focus on "the new thing".

    But the OS group has a different charter – we focus on ensuring that your LoB applications (or games, or productivity applications, or whatever) will continue to work from release to release.

    The platform SDK (or the C/C++ runtime library, which is written to the platform SDK) defines a binary compatibility layer that is carefully upwards compatible. The fact that the source code of the application is licensed under an open source license doesn’t matter – the <i platform /i> doesn’t care.

  25. Anonymous says:

    Sorry for lack of research, but well:

    Application-specific quirksmodes (as of Simcity fame) don’t/won’t exist any more?

  26. Anonymous says:

    Mr Blobby,

    Nope, appcompat will still work and they’re still there. That’s how we resolve the issue of broken apps – we change the system behavior for the single broken app instead of changing the entire system for the sake of an app.

  27. Anonymous says:

    In which case, my previous comment about open-source apps still stands. However, that was just meant to be a joke… To make it less contentious, and more useful, how about this (broader) question:

    Out of the set of all apps which don’t work despite the work you put into the binary compatibility layer, how do you go about selecting/prioritizing the subset which will get the quirksmode treatment?

  28. Anonymous says:

    From several comments I understand that Ctrl-Alt-Del is secure under NT-based kernels because NT-based kernels prevent applications from trapping it. So a Trojan-style fake login screen would be impossible if an NT-based OS is already running.

    If W9x is running then a Trojan-style fake NT-style login screen remains perfectly possible.

    For users to be secure, in addition to pressing Ctrl-Alt-Del, they’d better make sure an NT-based OS is actually running. Is there any way to be sure of that, other than rebooting?

  29. Anonymous says:

    Mr. Blobby: I guess I understand, but.. If an open source product is successful, then it will become successful because it is available in a binary distribution.

    Source distributions will NEVER be successful distribution mechanism (beyond the hobbiest or IT department level). User’s just don’t compile the code and run, they run pre-compiled binaries.

    If you’ve got the source code and your app breaks on Windows, then you can fix it yourself – by downloading the source and recompiling it, you take on all responsibility for maintaining your code. That’s the behavior of a hobbiest or IT person, not a consumer. As I said, consumers use binaries.

    Norman, that’s actually a really good point – a user that doesn’t know the OS on the computer DOES have to reboot it to truly ensure that NT’s running.

  30. Anonymous says:

    Sorry, my actual question got lost in pointless discussion about licensing. I am talking only about binaries.

    More clearly:

    When you design your new OS (or upgrade, or whatever) your testing team will find a number of apps which won’t work, or have major bugs introduced. Do you actually go to great lengths to ensure EVERY app found this way will in fact work? If not, then how do you prioritise – severity of bugs and popularity of application would seem to be the obvious first starts. Also, presumably your testers give the third-party notice and help to fix the bugs themselves first?

    Another question:

    MS has recently been cutting down its test teams, because of the rise of automated testing, and the rise of the ‘developer/tester’. However, presumably you do still have a large test team for app compatibility?

  31. Anonymous says:

    What about Windows XP and the Welcome screen – could that be spoofed? If your Windows XP machine is on a domain then you can’t use the Welcome screen. I know that one reason for this (that Raymond Chen has mentioned) is because it’s not feasible to enumerate network user accounts for display on that screen, but presumably another reason is that it doesn’t use the SAS.

  32. Anonymous says:

    Rebooting won’t help – what if trojan not only pretends to be NT-based login, but also fakes the boot screens?

  33. Anonymous says:

    Mr Blobby: I don’t know the answer to that one, I’m not on the appcompat team.

    John: Actually the SAS is still there for the welcome screen – hit C-A-D twice and the old familiar logon dialog will come up.

    KiwiBlue – if you believe that the bad guy’s had enough access to replace your OS, then it doesn’t matter, you might as well reformat.

  34. Anonymous says:

    This is OT – I apologize.

    A while back (when I first used NT4) I noticed that Ctrl+Shift+Esc runs the task manager. I’ve used it ever since. Is this shortcut supposed to be common knowledge? I’ve never seen it documented anywhere. I’m curious… 🙂

    I was once the victim of a coworker using software that took over my desktop. Can’t remember what it was… it disabled Ctrl+Alt+Delete, but luckily whomever wrote it didn’t know about Ctrl+Shift+Esc, so I was able to kill the process.

  35. Anonymous says:

    Jerome, that’s surprising – I’m not aware of any mechanism of spoofing C-A-D on NT – are you sure that was NT you were running?

  36. Anonymous says:

    > Norman, that’s actually a really good point

    > – a user that doesn’t know the OS on the

    > computer DOES have to reboot it to truly

    > ensure that NT’s running.

    I’m not sure simply rebooting would resolve the issue of what OS you are running. It would be pretty trivial to spoof the Windows 2000 or XP boot screen using logo.sys, and (assuming the Windows 9x machine was using a blank password) provide a Windows NT-like login screen using Run or RunService. winver.exe could be replaced, the "Windows 9x" running up the side of the Start menu can be edited.

    Although I fail to see the reason why anyone would bother. Windows 9x is so insecure it’s hardly necessary to pretend to be Windows NT to trick users into giving up information.

    However, in my experience, most people don’t know what OS they are running even though a screen with clouds and the name of the OS appeared on their monitor every morning for 2 minutes (this was back in the days of P133s when even Windows 9x took a long time to start). If I had a dime for everyone who told me they were running "Windows 97" when they meant they were running Office 97 I’d be retired.

  37. Anonymous says:

    Larry, I did know that actually but forgot (I found it out by accident once)!

    Jerome, I know about the Task Manager shortcut and have seen it documented somewhere. Having said that, I couldn’t find it in Windows XP Help.

  38. Anonymous says:

    Larry, I don’t agree that source distributions will never be successful. Most of the time users don’t simply run binaries, they have to go through an installation process. And there’s absolutely no reason why the installation could not include compiling the actual binaries. The users wouldn’t know, much like they do not know today what the installer does. Users currently do not manually register type libraries but that haven’t prevented applications that use COM from being used by BFUs.

  39. Anonymous says:

    Jerry,

    Do you REALLY believe that your Grandfather would be able to install a package distributed only in source form? I know that my Mother or Father wouldn’t – they wouldn’t know what a compiler was (or where to find one) if it jumped up and bit them on the nose.

    And software isn’t going to be successful in the end-user space if it only comes in source distributions.

    There’s a really good reason that the firefox people don’t distribute the source code to firefox in it’s default form – if you go to GetFirefox.com, you download a pre-compiled binary, NOT the source code. Geeks like us do source code, users do not.

  40. Anonymous says:

    Larry is right about end users. They only care about the application. The installer process/compile/whatever is only a roadblock in their use of the "great time saver" whatever that may be.

    The idea of distributing source that is compiled at install time is pretty cool but there’s way too many variables that can go wrong in that situation. What if the compile didn’t take? What if it compiled but with warnings? What if it compiles but doesn’t quite run right? The user won’t have enough knowledge in most instances to understand the code even if you gave them immediate patches they could apply. Without automating that further your failures will be horrific and people will loathe it.

    Personally I like the idea but only if it’s almost impossible to screw up. I’d love to have code I wrote 20 years ago compile right up on this new OS and "automagically" work as if I coded it yesterday, with NO modifications to the code. That would be sweet as all hell but chances of that are slim. You’d need to demodularize the OS into hardware/software API so that no matter what hardware you ran, the software would work. Then on top of that the software would have to be able to translate your old code into new controls, etc. Possible? Yes. Probable within 5 years from Microsoft, Apple, IBM, or Sun? Not at all. It’s not cost effective because they’re into hits they can milk quickly. The big players make more money off v.Next and this would put the emphasis on v.Now. Now could mean 20+ years literally if it’s done correctly where as Next typically means 5 or so years, give or take.

  41. Anonymous says:

    Normon

    >For users to be secure, in addition to pressing

    >Ctrl-Alt-Del, they’d better make sure an NT-based OS is

    >actually running. Is there any way to be sure of that,

    >other than rebooting?

    The important thing about NT security is it is secure only while running. It is the procedures, physical security, and training external to the box that guarantees NT is running, and then NT [tries] to secure itself.

    Theft of laptops is the biggest data loss. A protected witness in the Melbourne gang wars details were stolen on a laptop last week.

    I hear too much security stuff about the OS but my security assessments start at physical security – can someone steal the server, can someone put a floppy in the server, etc. My next priority is electronic funds transfer. Then securing databases.

    Then I worry about minor threats like viruses. A stolen customer pricing list or the bank account cleaned out can destroy a company. A virus just forces momentary disruption. One can actually train staff to not infect themselves by forensically reconstructing the infection and showing the staff member how they were infected. The AV logs shows this works. They become almost empty.

    The clients do seem a weak point if one wrote a program (dos say) to look like NT. But the user should twig when they is nothing after logging on. And strangers really shouldn’t be left alone with client computers to slip a floppy in. And screensavers on short timeout (except for admins or I leave) stop strangers from reading the screen.

  42. Anonymous says:

    A friend of mine who used to work at IBM and knew David Bradley (the creator of Ctrl-Alt-Del) told me that David often said:

    "I’m the one who invented Ctrl-Alt-Del, but Bill [Gates] is the one who made it famous!

    … For the NT logon screen, of course!"

  43. Anonymous says:

    Larry Osterman

    >Jerome, that’s surprising – I’m not aware of any mechanism of spoofing C-A-D on NT – are you sure that was NT you were running?

    Maybe I’m mistaken. It was a long time ago. Anyway, my problem was that I didn’t lock my workstation and a coworker simply walked to the machine and installed all sorts of stuff. I’ve been mre careful since then.

    John Topley:

    >Jerome, I know about the Task Manager shortcut and have seen it documented somewhere. Having said that, I couldn’t find it in Windows XP Help.

    I’m glad it is documented somewhere. Anyway, since it is being used I guess it’s here to stay anyhow.

  44. Anonymous says:

    It seems to me that requiring ctrl+alt+del to log on is only secure if the user knows enough to stop if they don’t get that prompt. In my experience, people will type their password into any dialog that looks like a logon prompt. Most won’t stop and say, "Gee, I didn’t have to press C+A+D; I’d better call the administrator."

    Am I missing something?

Skip to main content