Winlogon Explained

Winlogon (Windows Logon) is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running (requiring another authentication step). The roles and responsibilities of Winlogon have changed significantly in Windows Vista and later operating systems.

Overview

Winlogon is launched by the Session Manager Subsystem as a part of the booting process of Windows NT.

Before Windows Vista, Winlogon was responsible for starting the Service Control Manager and the Local Security Authority Subsystem Service, but since Vista these have been launched by the Windows Startup Application (wininit.exe).[1]

The first part of the logon process Winlogon conducts is starting the process that shows the user the logon screen. Before Windows Vista this was done by GINA,[2] but starting with Vista this is done by LogonUI. These programs are responsible for getting user credential and passing them to the Local Security Authority Subsystem Service, which authenticates the user.

After control is given back to Winlogon, it creates and opens an interactive window station, WinSta0,[3] and creates three desktops, Winlogon, Default and ScreenSaver. Winlogon switches from the Winlogon desktop to the Default desktop when the shell indicates that it is ready to display something for the user, or after thirty seconds, whichever comes first.[4]

The system switches back to the Winlogon desktop if the user presses Control-Alt-Delete or when a User Account Control prompt is shown. Winlogon now starts the program specified in the Userinit value which defaults to userinit.exe. This value supports multiple executables.[5]

Responsibilities

Window station and desktop protection
  • Winlogon sets the protection of the window station and corresponding desktops to ensure that each is properly accessible. In general, this means that the local system will have full access to these objects and that an interactively logged-on user will have read access to the window station object and full access to the application desktop object.
    Standard SAS recognition
  • Winlogon has special hooks into the User32 server that allow it to monitor Control-Alt-Delete secure attention sequence (SAS) events. Winlogon makes this SAS event information available to GINAs/credential providers to use as their SAS, or as part of their SAS. In general, GINAs should monitor SASs on their own; however, any GINA that has the standard ++ SAS as one of the SASs it recognizes should use the Winlogon support provided for this purpose.
    SAS routine dispatching
  • When Winlogon encounters a SAS event or when a SAS is delivered to Winlogon by the GINA, Winlogon sets the state accordingly, changes to the Winlogon desktop, and calls one of the SAS processing functions of the GINA.
    User profile loading
  • When users log on, their user profiles are loaded into the registry. In this way, the processes of the user can use the special registry key HKEY_CURRENT_USER. Winlogon does this automatically after a successful logon but before activation of the shell for the newly logged-on user.
    Assignment of security to user shell
  • When a user logs on, the GINA is responsible for creating one or more initial processes for that user. Winlogon provides a support function for the GINA to apply the security of the newly logged-on user to these processes. However, the preferred way to do this is for the GINA to call the Windows function CreateProcessAsUser, and let the system provide the service.
    Screen saver control
  • Winlogon monitors keyboard and mouse activity to determine when to activate screen savers. After the screen saver is activated, Winlogon continues to monitor keyboard and mouse activity to determine when to terminate the screen saver. If the screen saver is marked as secure, Winlogon treats the workstation as locked. When there is mouse or keyboard activity, Winlogon invokes the WlxDisplayLockedNotice function of the GINA and locked workstation behavior resumes. If the screen saver is not secure, any keyboard or mouse activity terminates the screen saver without notification to the GINA.
    Multiple network provider support
  • Multiple networks installed on a Windows system can be included in the authentication process and in password-updating operations. This inclusion lets additional networks gather identification and authentication information all at once during normal logon, using the secure desktop of Winlogon. Some of the parameters required in the Winlogon services available to GINAs explicitly support these additional network providers.

    Vulnerabilities

    Winlogon is a common target for several threats that could modify its function and memory usage. Winlogon has support for plugins that get loaded and notified about specific events.[6] Some rootkits bundle Winlogon plugins because they are loaded before any user logs in. Some registry keys allow multiple values to be supplied that allow a malicious program to be executed at the same time as a legitimate system file.[7]

    See also

    External links

    Notes and References

    1. Web site: Archiveddocs . Windows Administration: Inside the Windows Vista Kernel: Part 2 . 2023-05-14 . learn.microsoft.com . en-us.
    2. Book: Russinvoich, Mark E. . Microsoft Windows Internals . Solomon . David . . 2005 . 978-0735619173 . 4th . Redmond, Washington . 81 . en.
    3. Web site: Window Stations . 19 April 2014 . MSDN . Microsoft Corporation.
    4. Web site: Desktops . 19 April 2014 . MSDN . Microsoft Corporation.
    5. Book: Ionescu . Alex . Windows internals, Part 1 . Russinovich . Mark . Solomon . David A. . Microsoft Press . 2012 . 978-0735648739 . 6th . Redmond, Wash. . 77.
    6. Web site: alvinashcraft . Winlogon Notification Events - Win32 apps . 2023-05-14 . learn.microsoft.com . en-us.
    7. Web site: Boot or Logon Autostart Execution: Winlogon Helper DLL, Sub-technique T1547.004 - Enterprise MITRE ATT&CKĀ® . 2023-05-14 . attack.mitre.org.
    8. Web site: Warren. Tom. 2020-09-25. Windows XP source code leaks online. 2020-09-27. The Verge. en.