Winlogon handles interactive user logons and logoffs. It launches
LogonUI.exe, which uses a credential provider to gather credentials from the
user, and then passes the credentials to
lsass.exe for validation. Once the
user is authenticated, Winlogon loads the user’s
starts the user’s shell (usually
Executable’s image path.
A process which spawned the analyzed process.
Created by an instance of `smss.exe` that exits, so analysis tools usually do not provide the parent process name
Expected number of processes running which may normally run on Windows.
One or more
Windows account with which the process was launched. This defines what privileges given process has.
Expected time of process to be launched.
Within seconds of boot time for the first instance (for Session 1). Start times for additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons.