Control-alt-delete. Likely the most famous (or, perhaps, infamous) combination of keys ever. Despite being known by most computer users, there is a lot more most people don’t know about it. To start, it hasn’t always done the same thing.

The IBM PC

The story begins with IBM, before the release of the IBM PC. This was before windows existed, or even DOS for that matter. The IBM PC was a joint project between IBM and Microsoft. IBM made the hardware, and Microsoft made the operating system. Despite the lackluster name, it went on to change the computer industry.

Enter David Bradley. Bradley worked on the firmware for the IBM PC. The process of programming the firmware involved frequent restarts, which took a long time. To make the restart process faster, Bradly created a key combination which performed a warm reboot. When a warm reboot is performed, power is maintained and POST tests are not rerun, making the process much faster.

The combination for this was originally control-alt-escape, but it was possible to hit this combination by accident. As a result, control-alt-delete was chosen because it was impossible to type with only one hand on the original IBM keyboard.  As you know, it is still not a walk in the park to type the sequence.

Windows 3.0

Starting with windows 3.0, control-alt-delete got a new usage. Rather than rebooting, it displayed a list of running tasks and allowed the user to stop specific tasks, similar to task manager today. Windows 2000 brought us the same interface that is used today, albeit with visual differences. Pressing the combination brings up a number of options including opening task manager, changing your password, signing out and a few others.

Note that control-alt-delete will still trigger a reboot while the computer is in the BIOS (e.g. during POST).

Secure Attention Key

Control-alt-delete has another important use.

Whenever you want to use a system, you must log in with your password. This is a fairly mundane process we do quite often. There is an important security question we seldom consider, though: how do we know the login prompt is real?

Now, this isn’t a question like “how do we know we aren’t all living on a giant cat?” This is a very practical question. As it happens, there are, in fact, fake login prompts. They aren’t as common as they used to be, but they still exist.

How do you even make fake login prompts? Generally, the goal is to make something that is visually identical to the normal login prompt, and leave the program running on a user’s account. A program can run in fullscreen with the exact same visuals and behavior as the normal login prompt. There wouldn’t be any way to tell which prompt was the real one.

How do we avoid fake login prompts? Secure attention keys. A secure attention key is a particular combination that is “special” to the operating system. When you press it, it will bring up the real login prompt, enabling you to be certain it is the real one.

There is an important technical detail about secure attention keys: only the operating system knows when they are pressed.

Normally when you type on a keyboard, the input is sent to the operating system. The operating system will then tell the program currently in focus what the input was. For example, let’s say you are filling out a form on a website through your browser program. You type ‘a’, and the operating system detects that you typed ‘a’. It then tells your browser program that you typed ‘a’, which will fill in the form with an ‘a’. The browser only knows what you typed because the operating system told it.

Something different happens when you type a secure attention key. As before, the operating system knows which keys you pressed. However, because it recognizes that you typed the secure attention key, it doesn’t tell your browser program that you typed it. To your browser it is as if you didn’t type anything at all.

Due to this, a fake login prompt will not know when you press the combination because the operating system doesn’t pass on the information. This ensures the prompt that does show up is valid.

This is also why you cannot directly type a secure attention key when using something like remote desktop software or a virtual machine. Your operating system will never forward the combination on to the software you are using, so the software will not know you typed it and thus will not forward it on to the other computer. As a result, this type of software typically has a button in the interface that will send the combination instead.

On windows, the secure attention key is control-alt-delete. On consumer editions of windows it isn’t used by default, though it is on by default for computers in a windows domain.