What's the rationale behind Ctrl-Alt-Del for login

This combination is called a Secure attention key. The Windows kernel is "wired" to notify Winlogon and nobody else about this combination. In this way, when you press Ctrl+Alt+Del, you can be sure that you're typing your password in the real login form and not some other fake process trying to steal your password. For example, an application which looks exactly like the windows login.

In Linux, there's a loosely-defined equivalent which is Ctrl+Alt+Pause. However, it doesn't exactly do the same thing. It kills everything except where you're trying to input your password. So far, there's no actual equivalent that would work when running X.

This implies a trust in the integrity of the system itself, it's still possible to patch the kernel and override this behaviour for other purposes (malicious or completely legitimate)


Ctrl-Alt-Del is the Secure Attention Key on Windows. The operating system enforces a strong non-interception policy for this key combination.

You could make an application which goes full-screen, grabs the keyboard, and displays something which looks like the normal login screen, down to the last pixel. You then log on the machine, launch the application, and go away until some unsuspecting victim finds the machine, tries to log on, and gives his username and password to your application. Your application then just has to simulate a blue screen of death, or maybe to actually log the user on, to complete the illusion.

This attack is defeated by the SAK. Your application can grab the keyboard and redirect all keypresses to itself, without needing administrative rights, except the Ctrl-Alt-Del, which the OS never allows to be redirected. Pressing Ctrl-Alt-Del ensures that you get the genuine logon screen, not an imitation.


The answer to this can actually be found on our sister site, ServerFault. How does CTRL-ALT-DEL to log in make Windows more secure?

To quote the accepted answer by Oskar Duveborn,

The Windows (NT) kernel is designed to reserve the notification of this key combination to a single process: Winlogon. So, as long as the Windows installation itself is working as it should - no third party application can respond to this key combination (if it could, it could present a fake logon window and keylog your password ;)