Winlogon

Last updated June 15, 2023

Winlogon (Windows Logon) is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running (requiring another authentication step). In Windows Vista and later operating systems, the roles and responsibilities of Winlogon have changed significantly.

Overview

Winlogon is launched by the Session Manager Subsystem as a part of the booting process of Windows NT.

Before Windows Vista, Winlogon was responsible for starting the Service Control Manager and the Local Security Authority Subsystem Service, but since Vista these have been launched by the Windows Startup Application (wininit.exe).^[1]

The first part of the logon process Winlogon conducts is starting the process that shows the user the logon screen. Before Windows Vista this was done by GINA,^[2] but starting with Vista this is done by LogonUI. These programs are responsible for getting user credential and passing them to the Local Security Authority Subsystem Service, which authenticates the user.

After control is given back to Winlogon, it creates and opens an interactive window station, WinSta0,^[3] and creates three desktops, Winlogon, Default and ScreenSaver. Winlogon switches from the Winlogon desktop to the Default desktop when the shell indicates that it is ready to display something for the user, or after thirty seconds, whichever comes first.^[4]

The system switches back to the Winlogon desktop if the user presses Control-Alt-Delete or when a User Account Control prompt is shown.^[4] Winlogon now starts the program specified in the Userinit value which defaults to userinit.exe. This value supports multiple executables.^[5]

Responsibilities

Window station and desktop protection: Winlogon sets the protection of the window station and corresponding desktops to ensure that each is properly accessible. In general, this means that the local system will have full access to these objects and that an interactively logged-on user will have read access to the window station object and full access to the application desktop object.

Standard SAS recognition: Winlogon has special hooks into the User32 server that allow it to monitor Control-Alt-Delete secure attention sequence (SAS) events. Winlogon makes this SAS event information available to GINAs/credential providers to use as their SAS, or as part of their SAS. In general, GINAs should monitor SASs on their own; however, any GINA that has the standard Ctrl+Alt+Del SAS as one of the SASs it recognizes should use the Winlogon support provided for this purpose.

SAS routine dispatching: When Winlogon encounters a SAS event or when a SAS is delivered to Winlogon by the GINA, Winlogon sets the state accordingly, changes to the Winlogon desktop, and calls one of the SAS processing functions of the GINA.

User profile loading: When users log on, their user profiles are loaded into the registry. In this way, the processes of the user can use the special registry key HKEY_CURRENT_USER. Winlogon does this automatically after a successful logon but before activation of the shell for the newly logged-on user.

Assignment of security to user shell: When a user logs on, the GINA is responsible for creating one or more initial processes for that user. Winlogon provides a support function for the GINA to apply the security of the newly logged-on user to these processes. However, the preferred way to do this is for the GINA to call the Windows function CreateProcessAsUser, and let the system provide the service.

Screen saver control: Winlogon monitors keyboard and mouse activity to determine when to activate screen savers. After the screen saver is activated, Winlogon continues to monitor keyboard and mouse activity to determine when to terminate the screen saver. If the screen saver is marked as secure, Winlogon treats the workstation as locked. When there is mouse or keyboard activity, Winlogon invokes the WlxDisplayLockedNotice function of the GINA and locked workstation behavior resumes. If the screen saver is not secure, any keyboard or mouse activity terminates the screen saver without notification to the GINA.

Multiple network provider support: Multiple networks installed on a Windows system can be included in the authentication process and in password-updating operations. This inclusion lets additional networks gather identification and authentication information all at once during normal logon, using the secure desktop of Winlogon. Some of the parameters required in the Winlogon services available to GINAs explicitly support these additional network providers.

Vulnerabilities

Winlogon is a common target for several threats that could modify its function and memory usage. Winlogon has support for plugins that get loaded and notified about specific events.^[6] Some rootkits bundle Winlogon plugins because they are loaded before any user logs in. Some registry keys allow multiple values to be supplied that allow a malicious program to be executed at the same time as a legitimate system file.^[7]

Related Research Articles

Fast user switching is a feature of a multi-user operating system which allows users to switch between user accounts without quitting applications and logging out.

Windows Console is the infrastructure for console applications in Microsoft Windows. An instance of a Windows Console has a screen buffer and an input buffer. It allows console apps to run inside a window or in hardware text mode. The user can switch between the two using the Alt+↵ Enter key combination. The text mode is unavailable in Windows Vista and later. Starting with Windows 10, however, a native full-screen mode is available.

The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on. GINA is discontinued in Windows Vista.

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

The Session Manager Subsystem, or smss.exe, is a component of the Microsoft Windows NT family of operating systems, starting in Windows NT 3.1. It is executed during the startup process of those operating systems.

Client Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Windows Vista if the Task Manager is run in Administrator mode. On Windows 7 and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the Session Manager Subsystem (SMSS) watching will not crash the system. However, in Windows XP, terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

The booting process of Microsoft Windows varies between different releases.

Microsoft PowerToys is a set of freeware system utilities designed for power users developed by Microsoft for use on the Windows operating system. These programs add or change features to maximize productivity or add more customization. PowerToys are available for Windows 95, Windows XP, Windows 10 and Windows 11. The PowerToys for Windows 10 and Windows 11 are free and open-source software licensed under the MIT License and hosted on GitHub.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

GraphOn GO-Global is a multi-user remote access application for Windows.

Network Level Authentication (NLA) is a feature of Remote Desktop Services or Remote Desktop Connection that requires the connecting user to authenticate themselves before a session is established with the server.

The transition from Windows 7 to Windows 8 introduced a number of new features across various aspects of the operating system. These include a greater focus on optimizing the operating system for touchscreen-based devices and cloud computing.

Control-Alt-Delete is a computer keyboard command on IBM PC compatible computers, invoked by pressing the Delete key while holding the Control and Alt keys: Ctrl+Alt+Delete. The function of the key combination differs depending on the context but it generally interrupts or facilitates interrupting a function. For instance, in pre-boot environment or in MS-DOS, Windows 3.0 and earlier versions of Windows or OS/2, the key combination reboots the computer. Starting with Windows 95, the key combination invokes a task manager or security related component that facilitates ending a Windows session or killing a frozen application.

References

↑ Archiveddocs. "Windows Administration: Inside the Windows Vista Kernel: Part 2". learn.microsoft.com. Retrieved 2023-05-14.
↑ Russinvoich, Mark E.; Solomon, David (2005). Microsoft Windows Internals (4th ed.). Redmond, Washington: Microsoft Press. p. 81. ISBN 978-0735619173.
↑ "Window Stations". MSDN. Microsoft Corporation. Retrieved 19 April 2014.
1 2 "Desktops". MSDN. Microsoft Corporation. Retrieved 19 April 2014.
↑ Ionescu, Alex; Russinovich, Mark; Solomon, David A. (2012). Windows internals, Part 1 (6th ed.). Redmond, Wash.: Microsoft Press. p. 77. ISBN 978-0735648739.
↑ alvinashcraft. "Winlogon Notification Events - Win32 apps". learn.microsoft.com. Retrieved 2023-05-14.
↑ "Boot or Logon Autostart Execution: Winlogon Helper DLL, Sub-technique T1547.004 - Enterprise | MITRE ATT&CK®". attack.mitre.org. Retrieved 2023-05-14.
↑ Warren, Tom (2020-09-25). "Windows XP source code leaks online". The Verge. Retrieved 2020-09-27.

External links

Customizing GINA - Part 1, Developer tutorial for writing a custom GINA
Customizing GINA - Part 2, Developer tutorial for writing a custom GINA
MSKB:193361 MSGINA.DLL does not Reset WINLOGON Structure
Windows Vista and Windows Server 2008: Understanding, Enhancing and Extending Security End-to-end — Microsoft PowerPoint presentation that includes information on changes to Winlogon in Windows Vista and Windows Server 2008

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Archiveddocs. "Windows Administration: Inside the Windows Vista Kernel: Part 2". learn.microsoft.com. Retrieved 2023-05-14.

[:4-2] Russinvoich, Mark E.; Solomon, David (2005). Microsoft Windows Internals (4th ed.). Redmond, Washington: Microsoft Press. p. 81. ISBN 978-0735619173.

[3] "Window Stations". MSDN. Microsoft Corporation. Retrieved 19 April 2014.

[:0-4] 1 2 "Desktops". MSDN. Microsoft Corporation. Retrieved 19 April 2014.

[:3-5] Ionescu, Alex; Russinovich, Mark; Solomon, David A. (2012). Windows internals, Part 1 (6th ed.). Redmond, Wash.: Microsoft Press. p. 77. ISBN 978-0735648739.

[6] vinashcraft. "Winlogon Notification Events - Win32 apps". learn.microsoft.com. Retrieved 2023-05-14.

[7] "Boot or Logon Autostart Execution: Winlogon Helper DLL, Sub-technique T1547.004 - Enterprise | MITRE ATT&CK®". attack.mitre.org. Retrieved 2023-05-14.

[8] Warren, Tom (2020-09-25). "Windows XP source code leaks online". The Verge. Retrieved 2020-09-27.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]