Winlogon (Windows Logon) is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running (requiring another authentication step). In Windows Vista and later operating systems, the roles and responsibilities of Winlogon have changed significantly.
Winlogon is launched by the Session Manager Subsystem as a part of the booting process of Windows NT.
Before Windows Vista, Winlogon was responsible for starting the Service Control Manager and the Local Security Authority Subsystem Service, but since Vista these have been launched by the Windows Startup Application (wininit.exe
). [1]
The first part of the logon process Winlogon conducts is starting the process that shows the user the logon screen. Before Windows Vista this was done by GINA, [2] but starting with Vista this is done by LogonUI. These programs are responsible for getting user credential and passing them to the Local Security Authority Subsystem Service, which authenticates the user.
After control is given back to Winlogon, it creates and opens an interactive window station, WinSta0
, [3] and creates three desktops, Winlogon
, Default
and ScreenSaver
. Winlogon switches from the Winlogon desktop to the Default
desktop when the shell indicates that it is ready to display something for the user, or after thirty seconds, whichever comes first. [4]
The system switches back to the Winlogon
desktop if the user presses Control-Alt-Delete or when a User Account Control prompt is shown. [4] Winlogon now starts the program specified in the Userinit value which defaults to userinit.exe
. This value supports multiple executables. [5]
Winlogon is a common target for several threats that could modify its function and memory usage. Winlogon has support for plugins that get loaded and notified about specific events. [6] Some rootkits bundle Winlogon plugins because they are loaded before any user logs in. Some registry keys allow multiple values to be supplied that allow a malicious program to be executed at the same time as a legitimate system file. [7]
Fast user switching is a feature of a multi-user operating system which allows users to switch between user accounts without quitting applications and logging out.
Windows Console is the infrastructure for console applications in Microsoft Windows. An instance of a Windows Console has a screen buffer and an input buffer. It allows console apps to run inside a window or in hardware text mode. The user can switch between the two using the Alt+↵ Enter key combination. The text mode is unavailable in Windows Vista and later. Starting with Windows 10, however, a native full-screen mode is available.
The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on. GINA is discontinued in Windows Vista.
As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.
The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.
User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.
The Session Manager Subsystem, or smss.exe
, is a component of the Microsoft Windows NT family of operating systems, starting in Windows NT 3.1. It is executed during the startup process of those operating systems.
Client Server Runtime Subsystem, or csrss.exe
, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown. It is critical to system operation; therefore, terminating this process will result in system failure. Under normal circumstances, CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Windows Vista if the Task Manager is run in Administrator mode. On Windows 7 and later, Task Manager will inform the user that terminating the process may result in system failure, and prompt if they want to continue. In Windows NT 4.0 however, terminating CSRSS without the Session Manager Subsystem (SMSS) watching will not crash the system. However, in Windows XP, terminating CSRSS without SMSS watching will crash the system due to the critical bit being set in RAM for csrss.exe.
There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.
The booting process of Microsoft Windows varies between different releases.
Microsoft PowerToys is a set of freeware system utilities designed for power users developed by Microsoft for use on the Windows operating system. These programs add or change features to maximize productivity or add more customization. PowerToys are available for Windows 95, Windows XP, Windows 10 and Windows 11. The PowerToys for Windows 10 and Windows 11 are free and open-source software licensed under the MIT License and hosted on GitHub.
A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.
Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.
Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.
Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.
GraphOn GO-Global is a multi-user remote access application for Windows.
Network Level Authentication (NLA) is a feature of Remote Desktop Services or Remote Desktop Connection that requires the connecting user to authenticate themselves before a session is established with the server.
The transition from Windows 7 to Windows 8 introduced a number of new features across various aspects of the operating system. These include a greater focus on optimizing the operating system for touchscreen-based devices and cloud computing.
Control-Alt-Delete is a computer keyboard command on IBM PC compatible computers, invoked by pressing the Delete key while holding the Control and Alt keys: Ctrl+Alt+Delete. The function of the key combination differs depending on the context but it generally interrupts or facilitates interrupting a function. For instance, in pre-boot environment or in MS-DOS, Windows 3.0 and earlier versions of Windows or OS/2, the key combination reboots the computer. Starting with Windows 95, the key combination invokes a task manager or security related component that facilitates ending a Windows session or killing a frozen application.