Graphical identification and authentication

Last updated September 27, 2023

The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0,^[1] Windows 2000, Windows XP and Windows Server 2003 ^[2] that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on.^[3] GINA is discontinued in Windows Vista.^[3]

Overview

A default GINA library, MSGINA.DLL, is provided by Microsoft as part of the operating system, and offers the following features:

Authentication against Windows domain servers with a supplied user name/password combination.
Displaying of a legal notice to the user prior to presenting the logon prompt.
Automatic Logon, allowing for a user name and password to be stored and used in place of an interactive logon prompt. Automatic logon can also be configured to execute only a certain number of times before reverting to interactive logon. In older versions of Windows NT, the password could only be stored in plain text in the registry; support for using the Local Security Authority's private storage capabilities was introduced in Windows NT 4.0 Workstation Service Pack 3 and Windows NT Server 3.51.
"Security Options" dialog when the user is logged on, which provides options to shut down, log off, change the password, start the Task Manager, and lock the workstation.

Winlogon can be configured to use a different GINA, providing for non-standard authentication methods such as smart card readers or identification based on biometrics, or to provide an alternate visual interface to the default GINA. Developers who implement a replacement GINA are required to provide implementations for a set of API calls which cover functionality such as displaying a "workstation locked" dialog, processing the secure attention sequence in various user states, responding to queries as to whether or not locking the workstation is an allowed action, supporting the collection of user credentials on Terminal Services-based connections, and interacting with a screensaver.

A custom GINA could be made entirely from scratch, or just be the original GINA with modifications. A custom GINA can be specified by placing a string named GinaDLL in the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. The Winlogon component is solely responsible for calling these APIs in the GINA library.

When the Winlogon process starts, it compares its version number to that which is supported by the loaded GINA library. If the GINA library is of a higher version than Winlogon, Windows will not boot. This is done because a GINA library written for a given version of Winlogon will expect a certain set of API calls to be provided by Winlogon.

Support for replaceable GINA DLLs was introduced with Windows NT Server 3.51 and Windows NT Workstation 4.0 SP3. Successive versions of Windows have introduced additional functionality into Winlogon, resulting in additional functionality that can be implemented by a replacement GINA. Windows 2000, for example, introduced support for displaying status messages (including verbose messages that can be turned on through Group Policy) about the current state to the user (e.g. "Applying computer settings."), and starting applications in the user's context; this facilitates restarting Windows Explorer automatically if it crashes, as well as starting the Task Manager. Windows XP introduced support for Fast User Switching, Remote Desktop and a more interactive, simplified and user-friendly full-screen logon.

End of life

In Windows Vista, GINA has been replaced by credential providers, which allow for significantly increased flexibility in supporting multiple credential collection methods. To support the use of multiple GINA models, a complex chaining method used to be required and custom GINAs often did not work with fast user switching. GINA libraries do not work with Windows Vista and later Windows versions. One difference, however, is that GINA could completely replace the Windows logon user interface; Credential Providers cannot.^[2]

Related Research Articles

The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems. The name Windows API collectively refers to several different platform implementations that are often referred to by their own names. Almost all Windows programs interact with the Windows API. On the Windows NT line of operating systems, a small number use the Native API.

Btrieve is a transactional database software product. It is based on Indexed Sequential Access Method (ISAM), which is a way of storing data for fast retrieval. There have been several versions of the product for DOS, Linux, older versions of Microsoft Windows, 32-bit IBM OS/2 and for Novell NetWare.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

<span class="mw-page-title-main">Winlogon</span> Component of Microsoft Windows operating systems

Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running. In Windows Vista and later operating systems, the roles and responsibilities of Winlogon have changed significantly.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

The Native API is a lightweight application programming interface (API) used by Windows NT and user mode applications. This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Therefore, a few Windows components, such as the Client/Server Runtime Subsystem (CSRSS), are implemented using the Native API. The Native API is also used by subroutines such as those in kernel32.dll that implement the Windows API, the API based on which most of the Windows components are created.

The Speech Application Programming Interface or SAPI is an API developed by Microsoft to allow the use of speech recognition and speech synthesis within Windows applications. To date, a number of versions of the API have been released, which have shipped either as part of a Speech SDK or as part of the Windows OS itself. Applications that use SAPI include Microsoft Office, Microsoft Agent and Microsoft Speech Server.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

The Session Manager Subsystem, or smss.exe, is a component of the Microsoft Windows NT family of operating systems, starting in Windows NT 3.1. It is executed during the startup process of those operating systems.

Client Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Windows Vista if the Task Manager is run in Administrator mode. On Windows 7 and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the Session Manager Subsystem (SMSS) watching will not crash the system. However, in Windows XP, terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

The booting process of Microsoft Windows varies between different releases.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system.

Network Level Authentication (NLA) is a feature of Remote Desktop Services or Remote Desktop Connection that requires the connecting user to authenticate themselves before a session is established with the server.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

Control-Alt-Delete is a computer keyboard command on IBM PC compatible computers, invoked by pressing the Delete key while holding the Control and Alt keys: Ctrl+Alt+Delete. The function of the key combination differs depending on the context but it generally interrupts or facilitates interrupting a function. For instance, in pre-boot environment or in MS-DOS, Windows 3.0 and earlier versions of Windows or OS/2, the key combination reboots the computer. Starting with Windows 95, the key combination invokes a task manager or security related component that facilitates ending a Windows session or killing a frozen application.

References

↑ "Vulnerability Report For Microsoft Windows NT 4.0 Terminal Server GINA | CoreLabs Advisories". www.coresecurity.com. Retrieved 2022-11-08.
1 2 "Credentials Management in Windows Authentication". TechNet . Microsoft. 11 April 2013.
1 2 "Winlogon and GINA". MSDN . Microsoft. Archived from the original on 2013-10-01. Retrieved 4 December 2014.

External links

"Winlogon and GINA". Archived from the original on 2013-10-01. Developer information on how the login components interact
Customizing GINA Part 1, Developer tutorial for writing a custom GINA.
Customizing GINA Part 2, Developer tutorial for writing a custom GINA.
pGina, Open Source Windows Authentication

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Vulnerability Report For Microsoft Windows NT 4.0 Terminal Server GINA | CoreLabs Advisories". www.coresecurity.com. Retrieved 2022-11-08.

[:0-2] 1 2 "Credentials Management in Windows Authentication". TechNet . Microsoft. 11 April 2013.

[:1-3] 1 2 "Winlogon and GINA". MSDN . Microsoft. Archived from the original on 2013-10-01. Retrieved 4 December 2014.

[1]

[2]

[3]