Windows Session logon Process

Windows structure diagram

Windows system core architecture and components

The above clearly shows the main structure of windows, so that we have a general understanding of the composition of the system, the following describes the Windows session logon approximate process:

1 . Kernel-mode system thread initializes the Windows execution body and kernel, and the final stage of the SMSS (Session management) process.

2, SMSS is responsible for the completion of a series of operations, such as opening additional paging files, creating system environment variables, and Csrss.exe ( subsystem process ) and Winlogon start, Winlogon process to create other system processes in turn.

3, SMSS The main thread is responsible for monitoring csrss and Winlogon, once csrss and Winlogon abnormal termination, SMSS let the system crash.

4. SMSs waits for the request to load the subsystem, debug events, and create a new Terminal Server session.

5, when SMSs received a request to create a session, call Ntsetsysteminformation, establish a kernel-mode session data structure, call the memory manager function Mmsessioncreate, establish the session virtual address space "contains the session of the paged memory pool, Win32 the kernel mode portion of the subsystem Win32k.sys, and then SMSS creates Winlogon and Csrss instances for the session.

6. The Winlogon logon process handles the logon and logoff of interactive users. When the security note sequence SAS combo key is pressed, Winlogon receives a user login request.

"Winlogon is active when a user logs on, logs off, or intercepts a keyboard SAS, which is the process responsible for handling these interactions"

7, the login process identification and authentication is implemented in the GINA.dll "developers can provide their own Gina DLL implementation of other identification and authentication mechanisms."

8. After the user name and password are captured, they are sent to the local Security authentication server process Lsass.exe for authentication. Lsass.exe checks if the password matches the password information stored in the Active Directory or in the SAM.

9. After the authentication is complete, LSASS invokes the function NtCreateToken in the security reference monitor to generate an access token object that contains the security outline of the current user. Winlogon then uses this access token to create the initial process in the user session, which is saved in the registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\ Winlogon "under Userinit.

10. Userinit performs some initialization work in the user environment (such as running a logon script, applying Group Policy), then finds the shell value in the registry, and creates a process to run the shell Explorer.exe.

The session creation is complete.

Special Annotations:

      This article is all from the deep parsing of the Windows operating system (fourth edition).