Winlogon starts the Local Security Authority Subsystem Service (LSASS) and Service Control Manager (SCM), which in turn will start all the Windows services that are set to Auto-Start. It is also responsible for responding to the secure attention sequence (SAS), loading the user profile on logon, and optionally locking the computer when a screensaver is running.
The logon process is as follows:
- Winlogon calls GINA
- (Optional) Logon prompt is displayed by GINA, and the user presses the secure attention sequence (Control-Alt-Delete)
- Logon dialog is displayed by GINA
- User enters credentials (username, password, and domain)
- GINA passes credentials back to Winlogon
- Winlogon passes credentials to LSASS, which determines which account database is to be used:
- Local SAM
- Domain SAM
- Active Directory
- LSASS enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.).
After a user has successfully logged in to the machine, Winlogon does the following:
- Updates the Control Sets; the LastKnownGood control set is updated to reflect the current control set.
- User and Computer Group Policy settings are applied.
- Starts the shell program (typically
Explorer.exe
) from the registry entryShell=
pointed to by the same registry entry in key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot
; its default value is SYS:Microsoft\Windows NT\CurrentVersion\Winlogon
, which evaluates to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
.
- Startup programs are run from the following locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\
(this path is localized on non-English versions of Windows before Vista)%USERPROFILE%\Start Menu\Programs\Startup\
(this path is localized on non-English versions of Windows before Vista)
At some point after calling GINA, the registry is checked for a string named 'autoadminlogon' and if it exists user credentials can be pulled from the registry and automatically inserted into the GINA.
-
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon
Winlogon's responsibilities have changed significantly from the above in Windows Vista.
Read more about this topic: Windows NT Startup Process