winlogon.exe
is a user-mode process that manages the interactive logon and logoff of users and handles the Ctrl-Alt-Delete keyboard sequence (aka Secure Authentication Sequence or SAS). winlogon.exe
queries Userinit
under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
whose default value is C:\Windows\system32\userinit.exe
. winlogon.exe
can be debugged by setting the value of Debugger
under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Image File Execution Options\winlogon.exe
to ntsd -d -x -g
-d
passes control to the kernel debugger. -x
causes the debugger to capture access violations as second chance exceptions -g
causes the WinLogon process to run after the attachment GlobalFlag
under the already mentioned registry key should be set to 0x000400F0
which sets sets heap checking and FLG_ENABLE_KDEBUG_SYMBOL_LOAD
. FLG_DEBUG_INITIAL_COMMAND
) and Debug initial command (FLG_DEBUG_INITIAL_COMMAND_EX
). userenv.dll
«runs» inside winlogon.exe
. mpnotify
under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
.