At college, we had AIX Unix terminals that ran in character mode. I wrote a program to simulate the login screen. It would record your user/password to a file and then throw an 'Invalid Login' error and then actually logoff and give you the real login screen. So no one suspected anything.
After I was done with a terminal, I'd run this program and leave (knowing full well, that someone could Ctrl-C to terminate the program and get access to my account though no one ever did)
I got more than a few passwords with this. But didn't actually do anything with them. I felt bad and deleted the program and passwords after some time.
That's more or less exactly it. Ctrl+Alt+Del causes a switch from the interactive desktop (WinSta0\Default) to the Winlogon desktop, which no other process has access to. Windows code also contains a special rule for interrupting the Ctrl+Alt+Del combination to prevent other applications from hooking into it and overriding the default functionality.
Technically it is possible to get other processes to run in the Winlogon window, but that requires messing around with security tokens, among other barriers.
I think either VirtualBox or VMware Workstation can detect Ctrl-Alt-Delete - it then asks you if you meant to send that to the guest VM. Any idea how that works if there's protection on Ctrl-Alt-Delete?
Vmware detects it, but doesn't stop it dumping you to the lock screen. The result is you hit control Ctrl-alt-del, lock screen pops upp, you get out of the lock screen, and there is a vmware popup saying "hey! You probably meant to use Ctrl-Alt-Insert instead!"
Ctrl-Alt-Del fires an IRQ. As such, it can't usually be fired remotely - although some utils work around it by making API calls at the client end to trigger the behavior, depending on context.
Some flavors of VMware hooked the IRQ on the host machine and responded to that (not sure about VirtualBox, never thought to check that.) They can send it to the virtual machine easily, as they are also providing the a virtual bios/hardware layer.
Back when my high school switched from Win 98 to one of the NTs, and Ctrl-Alt-Del started being used to log in, I thought about making an application that looked like the login UI itself, as if someone else had pressed Ctrl-Alt-Del but then got distracted before actually logging in. But I didn't have the skills to do it.
The best I got was finding out how to launch cmd.exe on NT, when the system had been locked down to disallow right clicks on the desktop, no desktop icons, and only approved programs in the start menu. I think it involved navigating the help system to a certain page that had a link to Explorer. Then I explored the network until I found an unused share somewhere, where I put gcc and started teaching myself C.
The command prompt also let me use the "net send" command to send messages to other computers, which was fun.
My BASIC teacher saw me writing a login screen program and thought it was cool. I wasn't making any attempt to hide it, though.
But it did take a long time to write, because I had to make the IBM logo out of extended-ASCII by hand, and even then it was clearly running inside a BASIC interpreter really really slowly.
After I was done with a terminal, I'd run this program and leave (knowing full well, that someone could Ctrl-C to terminate the program and get access to my account though no one ever did)
I got more than a few passwords with this. But didn't actually do anything with them. I felt bad and deleted the program and passwords after some time.