Is Windows+L a secure attention sequence?



  • Ctrl+Alt+Del is a secure attention sequence (Microsoft) (or secure attention key (Wikipedia), but it's more a Linux term).

    As we can read,

    A key sequence that begins the process of logging on or off. The default sequence is CTRL+ALT+DEL.

    it is only the default sequence, which means that other sequences might exist. In an answer to a related question, we can read that Win+Pwr is also a SAS, at least on some devices.

    I've been using Win+L to lock my desktop, since I find it easier to use, and I even recommend that to other people. For my own research, this combination cannot be registered as a hotkey either. But: I have no official documentation on it.

    Why do I even care? If it's not a SAS, the key combination could be hooked (likely by a non-privileged application) and someone could show a fake login dialog on which I would then enter my password.

    So, is Win+L a secure attention sequence?

    I have seen previously linked questions and

    • How does CTRL-ALT-DEL to log in make Windows more secure? (ServerFault)
    • some code from 2010 where it might have been possible to bypass the combination, but it does no longer work on Windows 10 20H2
    • the flag LLKHF_INJECTED in KBDLLHOOKSTRUCT, which makes me believe that Windows can distinguish between physical and simulated keypresses, explaining why the code might not work any more
    • I am aware of the Registry key DisableLockWorkstation in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System, but that would affect Ctrl+Alt+Del as well


  • Answer is quite simple Win+L is not a sas and it does not need to be. It is used for locking the device.

    There is a group policy to control the sas for triggering the login. You may set it so the CTRL+ALT+DEL is required for every login independently of how the station got locked, be it via shortcut, time-out or any other way, after all locked state is locked. Assuming that you require sas upon login there is no need to verify the locking sequence. Malicious software can be written in many different ways so overengineering protection for one feature does not make much sense. Screen overlay could be used to capture the click map used for locking the station from Windows context menu as an example. This is why it is much smarter to require sas on login.

    There is whole different debate about users actually noticing the difference on systems that require sas and on those that don't.

    It is worth noting that the policy is disabled by default due to wide use of touchscreen devices and overall bad user experience, so it must be activated to be used.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2