search
GitHubFacebookLinkedin
Page cover

πŸšͺWindows Logon Process

What is logon in windows ?

Table of Contents:

  1. Intro to logon in windows

  2. Key Components of the Logon Process

  3. Steps in the Logon Process

  4. Types of Logons

  5. Security Features of the Logon Process

hashtag
Intro to logon in windows

  • A logon (or login) in Windows is the process by which a user or system gains access to a computer or network by providing valid credentials.

  • Windows-based computers secure resources by implementing the logon process, in which users are authenticated.

  • This process is fundamental to Windows security, as it ensures that only authorized users and systems can access resources.

  • After a user is authenticated, authorization and access control technologies implement the second phase of protecting resources: determining if the authenticated user is authorized to access a resource.

  • The logon process involves several components and steps, and it varies depending on the type of logon (e.g., interactive, network, service), each playing a vital role in verifying user credentials, enforcing security policies, and creating a secure user session.

hashtag
Key Components of the Logon Process

hashtag
The logon process in Windows involves several critical components:

hashtag
Winlogon (Windows Logon Process)

hashtag
LSASS (Local Security Authority Subsystem Service)

  • Authenticates user credentials.

  • Verifies credentials against the SAM database (workgroup) or Active Directory (domain).

  • Generates access tokens for authenticated users.

hashtag
SAM Database or Active Directory

  • SAM Database: Stores local user accounts (workgroup/standalone machines).

  • Active Directory: Stores domain user accounts (domain environment).

hashtag
Credential Providers

  • Allows users to authenticate with different methods (password, PIN, biometrics).

  • Replaces the older GINA (Graphical Identification and Authentication) model.

hashtag
Access Token

  • Generated after successful authentication.

  • Contains user’s SID, group SIDs, and privileges for access control.

hashtag
Steps in the Logon Process

hashtag
User Initiates Logon

  • User presses Ctrl+Alt+Del(When system is PowerOn) or powers on the machine(When system is PowerOff).

hashtag
Winlogon Displays the Login Screen

  • Secure Desktop prompts the user for credentials.

hashtag
User Enters Credentials

  • Username and password (or PIN/biometric data) are provided.

hashtag
Credentials are Passed to LSASS

  • Credentials are sent to LSASS for authentication.

hashtag
Authentication

  • Workgroup: LSASS verifies credentials in the local SAM database.

  • Domain: LSASS communicates with a domain controller for verification.

hashtag
Token Generation

  • LSA generates an access token upon successful authentication.

hashtag
User Shell is Launched

  • Windows loads Explorer.exe and the desktop environment.

hashtag
Access Control

  • The user’s access token determines access to resources (files, registry keys, etc.).

hashtag
Types of Logons

hashtag
Interactive Logon

  • User logs in directly at the machine.

  • Example: Logging into a local machine or via Remote Desktop.

hashtag
Network Logon

  • User/system accesses resources over a network.

  • Example: Accessing a shared folder on another computer.

hashtag
Batch Logon

  • Used for scheduled tasks or batch jobs.

  • Example: Running a Task Scheduler job.

hashtag
Service Logon

  • Used when a Windows service runs under a specific account.

  • Example: A web server service running as a custom user account.

hashtag
Unlock Logon

  • User unlocks a locked workstation/session.

  • Example: Unlocking a machine after Ctrl+Alt+Del.

hashtag
Remote Interactive Logon

  • User logs into a remote machine via RDP.

  • Example: Using Remote Desktop (RDP) to access a server.

hashtag
Cached Interactive Logon

  • User logs in with cached credentials (offline mode).

  • Example: Logging into a laptop while offline.

hashtag
New Credentials Logon

  • Alternate credentials are provided for resource access.

  • Example: Using RunAs to execute a program as another user.

hashtag
System Logon

  • System logs in using the Local System account.

  • Example: Startup processes during boot.

hashtag
Security Features of the Logon Process

hashtag
Secure Desktop

  • The login screen runs in an isolated environment to prevent credential theft.

hashtag
Credential Providers

  • Supports multiple authentication methods (password, PIN, biometrics).

hashtag
Account Lockout

  • After multiple failed attempts, the account locks to prevent brute-force attacks.

hashtag
Audit Logging

  • Logon events (success & failure) are logged in the Security Event Log.

hashtag
LSA Protection

  • The LSASS process is protected to prevent unauthorized access or credential dumping.

PreviousWindows SIDNextSecurity principals

Last updated