Windows NT Startup Process - Winlogon

For more details on this topic, see Winlogon.

Winlogon starts the Local Security Authority Subsystem Service (LSASS) and Service Control Manager (SCM), which in turn will start all the Windows services that are set to Auto-Start. It is also responsible for responding to the secure attention sequence (SAS), loading the user profile on logon, and optionally locking the computer when a screensaver is running.

The logon process is as follows:

  • Winlogon calls GINA
  • (Optional) Logon prompt is displayed by GINA, and the user presses the secure attention sequence (Control-Alt-Delete)
  • Logon dialog is displayed by GINA
  • User enters credentials (username, password, and domain)
  • GINA passes credentials back to Winlogon
  • Winlogon passes credentials to LSASS, which determines which account database is to be used:
    • Local SAM
    • Domain SAM
    • Active Directory
  • LSASS enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.).

After a user has successfully logged in to the machine, Winlogon does the following:

  • Updates the Control Sets; the LastKnownGood control set is updated to reflect the current control set.
  • User and Computer Group Policy settings are applied.
  • Starts the shell program (typically Explorer.exe) from the registry entry Shell= pointed to by the same registry entry in key

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\Boot; its default value is SYS:Microsoft\Windows NT\CurrentVersion\Winlogon, which evaluates to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

  • Startup programs are run from the following locations:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
    • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ (this path is localized on non-English versions of Windows before Vista)
    • %USERPROFILE%\Start Menu\Programs\Startup\ (this path is localized on non-English versions of Windows before Vista)

At some point after calling GINA, the registry is checked for a string named 'autoadminlogon' and if it exists user credentials can be pulled from the registry and automatically inserted into the GINA.

    • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon

Winlogon's responsibilities have changed significantly from the above in Windows Vista.

Read more about this topic:  Windows NT Startup Process