The Logon Process
WinLogon
Users must log on to a Windows NT machine in order to use that NT based machine or
network. The logon process itself cannot be bypassed, it is mandatory. Once the user has
logged on, an access token is created (this token will be discussed in more detail later).
This token contains user specific security information, such as: security identifier, group
identifiers, user rights and permissions. The user, as well as all processes spawned by the
user are identified to the system with this token.
The first step in the WinLogon process is something we are all familiar with,
CTRL+ALT+DEL. This is NT's default Security Attention Sequence (SAS - The SAS
key combo can be changed. We will also discuss that later.). This SAS is a signal to the
operating system that someone is trying to logon. After the SAS is triggered, all user
mode applications pause until the security operation completes or is cancelled. (Note:
The SAS is not just a logon operation, this same key combination can be used for logging
on, logging off, changing a password or locking the workstation.) The pausing, or
closing, of all user mode applications during SAS is a security feature that most people
take for granted and dont understand. Due to this pausing of applications, logon related
trojan viruses are stopped, keyloggers (programs that run in memory, keeping track of
keystrokes, therefor recording someones password) are stopped as well.
The user name is not case sensitive but the password is.
After typing in your information and clicking OK (or pressing enter), the WinLogon
process supplies the information to the security subsystem, which in turn compares the
information to the Security Accounts Manager (SAM). If the information is compliant
with the information in the SAM, an access token is created for the user. The WinLogon
takes the access token and passes it onto the Win32 subsytem, which in turn starts the
operating systems shell. The shell, as well as all other spawned processes will receive a
token. This token is not only used for security, but also allows NTs auditing and logging
features to track user usage and access of network resources.
Note: All of the logon components are located in a file known as the Graphical
Indetification and Authentication (GINA) module, specifically MSGINA.DLL. Under
certain conditions, this file can be replaced, which is how you would change the SAS key
combination.
For fine tuning of the WinLogon process, you can refer to the registry. All of the options
for the WinLogon process are contained in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winl
ogon area. You can also fine tune the process by using the Policy Editor.
Logging on to a Domain
If an NT machine is a participant on a Domain, you would not only need to login to the
local machine, but the Domain as well. If a computer is a member of a Domain, the
WinLogon process is replaced by the NetLogon process.
source
The Rhino9 Team