Winlogon ( Windows Logon ) is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence , loading the user profile on logon, creates the desktops for the window station , and optionally locking the computer when a screensaver is running (requiring another authentication step). The roles and responsibilities of Winlogon have changed significantly in Windows Vista and later operating systems.
13-688: Winlogon is launched by the Session Manager Subsystem as a part of the booting process of Windows NT . Before Windows Vista, Winlogon was responsible for starting the Service Control Manager and the Local Security Authority Subsystem Service , but since Vista these have been launched by the Windows Startup Application ( wininit.exe ). The first part of the logon process Winlogon conducts
26-550: A Windows system, either local or remote. After the boot process is finished, the program resides in memory and can be seen running in the Windows Task Manager . It then waits for either winlogon.exe or csrss.exe to end, at which point Windows will shut down. If the processes do not end in an expected fashion, smss.exe may hang the system, or a bugcheck will occur. It also initiates new user sessions when needed. In some versions of Windows, by using special tools,
39-477: A reboot. Starting with Windows Vista, the Session Manager Subsystem creates a temporary instance of itself that launches the Windows Startup Application ( wininit.exe ) and a second Client/Server Runtime Subsystem ( csrss.exe ) for Session 0, a session dedicated to system processes. From here, the Windows Startup Application starts the Service Control Manager ( services.exe ), which starts all
52-495: Is a common target for several threats that could modify its function and memory usage. Winlogon has support for plugins that get loaded and notified about specific events. Some rootkits bundle Winlogon plugins because they are loaded before any user logs in. Some registry keys allow multiple values to be supplied that allow a malicious program to be executed at the same time as a legitimate system file. Session Manager Subsystem The Session Manager Subsystem , or smss.exe ,
65-532: Is a component of the Microsoft Windows NT family of operating systems , starting in Windows NT 3.1 . It is executed during the startup process of those operating systems . The Session Manager Subsystem is the first user-mode process started by the kernel. Once started it creates additional paging files with configuration data from HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management,
78-660: Is responsible for starting the kernel and user modes of the Win32 subsystem. This subsystem includes win32k.sys (kernel-mode), winsrv.dll (user-mode), and csrss.exe (user-mode). Any other subsystems listed in the Required value of the HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems Registry key are also started. The manager is also responsible for doing any operations that are requested to be done at
91-521: Is starting the process that shows the user the logon screen. Before Windows Vista this was done by GINA , but starting with Vista this is done by LogonUI. These programs are responsible for getting user credential and passing them to the Local Security Authority Subsystem Service , which authenticates the user. After control is given back to Winlogon, it creates and opens an interactive window station, WinSta0 , and creates three desktops, Winlogon , Default and ScreenSaver . Winlogon switches from
104-478: The Windows services that are set to "Auto-Start". The application also starts the Local Security Authority Subsystem Service ( lsass.exe ). Before Windows Vista, these processes where started by Windows Logon instead of the Windows Startup Application. Once the session is configured, the Session Manager Subsystem starts Winlogon (Windows Logon Application), which is responsible for handling interactive logons to
117-668: The Winlogon desktop to the Default desktop when the shell indicates that it is ready to display something for the user, or after thirty seconds, whichever comes first. The system switches back to the Winlogon desktop if the user presses Control-Alt-Delete or when a User Account Control prompt is shown. Winlogon now starts the program specified in the Userinit value which defaults to userinit.exe . This value supports multiple executables. Winlogon
130-497: The critical process status on smss.exe can be removed, after that, it can be terminated without a bluescreen, but any functions that use smss.exe stop working until next reboot The Local Session Manager Service ( lsm.exe ) sends requests to SMSS through the Asynchronous Local Inter-Process Communication (ALPC) port SmSsWinStationApiPort to start new sessions. Each time a user logs onto
143-542: The environment variables located at the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment , and DOS device mappings (e.g. CON: , NUL: , AUX: , COM1: , COM2: , COM3: , COM4: , PRN: , LPT1: , LPT2: , LPT3: , and drive letters) listed at the HKLM\System\CurrentControlSet\Control\Session Manager\DOS Devices registry key. This can be used to create permanent subst drives. The manager
SECTION 10
#1732869751981156-565: The start of a session. Commands listed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute , such as autochk and convert , are executed. These commands are run before services are loaded by later steps of the booting process. Any rename operations queued at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations . This is used to allow previously in-use files (e.g. drivers) to be replaced as part of
169-479: The system, the initial Session Manager creates a new instance of itself to configure a new session. This new process starts a Win32 subsystem and Winlogon process for the new session. This allows for multiple users to logon at the same time on Windows Server systems. Service Control Manager Too Many Requests If you report this error to the Wikimedia System Administrators, please include
#980019