Winlogon handles interactive user logons and logoffs. It launches
LogonUI.exe
, which uses a credential provider to gather credentials from the
user, and then passes the credentials to lsass.exe
for validation. Once the
user is authenticated, Winlogon loads the user’s NTUSER.DAT
into HKCU
and
starts the user’s shell (usually explorer.exe
) via userinit.exe
.
Executable’s image path.
%SystemRoot%\System32\winlogon.exe
A process which spawned the analyzed process.
Created by an instance of `smss.exe` that exits, so analysis tools usually do not provide the parent process name
Expected number of processes running which may normally run on Windows.
One or more
Windows account with which the process was launched. This defines what privileges given process has.
Local System
Expected time of process to be launched.
Within seconds of boot time for the first instance (for Session 1). Start times for additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons.