winlogon.exe is a user-mode process that manages the interactive logon and logoff of users and handles the Ctrl-Alt-Delete keyboard sequence (aka Secure Authentication Sequence or SAS). winlogon.exe queries Userinit under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon whose default value is C:\Windows\system32\userinit.exe. winlogon.exe can be debugged by setting the value of Debugger under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Image File Execution Options\winlogon.exe to ntsd -d -x -g
-d passes control to the kernel debugger. -x causes the debugger to capture access violations as second chance exceptions -g causes the WinLogon process to run after the attachment GlobalFlag under the already mentioned registry key should be set to 0x000400F0 which sets sets heap checking and FLG_ENABLE_KDEBUG_SYMBOL_LOAD. FLG_DEBUG_INITIAL_COMMAND) and Debug initial command (FLG_DEBUG_INITIAL_COMMAND_EX). userenv.dll «runs» inside winlogon.exe. mpnotify under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.