Understanding Winlogon and its functions.
We usually come across the term Winlogon in windows world and the first perception that we get is that this process might be used for handling interactive logons. This is partially correct but there’s a lot more in it that winlogon does.A legitimate winlogon process runs from “%Systemroot%\System32\Winlogon.exe” so make sure that you don’t get fooled by a virus or a Trojan running a process as winlogon from some other location.Let’s understand its role in different scenarios.
Before any user applications are active on the system, winlogon ensures no other process can access the workstation unless explicitly allowed. It also makes sure that the visible desktop is Winlogon’s .The Desktop switches to secured desktop and launches LogonUI once CTRL-ALT-DEL is pressed.
LogonUI –Child process of Winlogon used to display logon dialog box.
Logon process initiates once the user presses SAS (Secure Attention Sequence) – a type of keystroke combination in windows used to protect users from password capture programs. SAS for windows is CTRL-ALT-DEL. This launches LogonUI which in turn calls the credential providers to obtain user id and password. (Credential providers for windows are password and smart cards).
Once Username and password has been entered Winlogon goes back to the LSASS (Local Security Authority Subsystem) function (lsalookupauthenticationpackage) to get the authentication package to be used. The logon information is then passed by winlogon to the specific authentication package (using function LsaLogonUser)
If none of the authentication packages indicate successful logon the process is aborted. In case logon is authenticated LSASS looks in the policyDB for users allowed access (Eg Interactive, network, batch or Service Process). If the requested access doesn’t match the allowed access, logon is terminated. LSASS then sends failure to winlogon which in turn displays appropriate message to the user.
Upon successfully validating the allowed access for the user LSASS adds appropriate security IDs and checks for any privileges granted for all the IDs of the user. LSASS then accumulates all the necessary information and an access token gets created.
After successful access token creation LSASS duplicates them creating a handle and passes it to Winlogon process. LSASS then closes its own handle and returns success event to winlogon along with access token as well as logon session and profile information.
Winlogon then looks in the registry at the value HKLM\Software\Microsoft\WindowsNT\Current Version\Winlogon\Userinit and creates a process to run the value of that string. The default is userinit.exe, which loads the user profile and then creates a process to run whatever value HKCU\Software\Microsoft\WindowsNT\Current version\Winlogon\Shell is, if that value exist. If no value exists userinit defaults it to Explorer.exe and then exits.
Winlogon then notifies the registered providers that the user has logged in.
Logged in Processes.
Winlogon becomes active when it intercepts SAS and windows security dailogbox comes up, providing options to log off, Start Taskmanager, Lock the workstation, shutdown etc. Winlogon is the process that handles this interaction.
Thus Winlogon process acts as an important part of the windows system architecture. The process uses certain other system processes and components to handle interactive logons. This process handles many other processes like log off, Start Taskmanager, Lock the workstation, shutdown etc and always remains active on the system