This problem is closely related to the problem of blocking CTRL + ALT + DEL. So we need to talk about it. Next we will first translate the relevant content in this blog:
Http://blogs.technet.com/askperf/archive/2008/02/02/ws2008-startup-processes-and-delayed-automatic-start.aspx
In Windows Versions earlier than Vista, when the system is started, the Session Manager Process (SMSs. will start the Client/Server Runtime subsystem (client-server runtime subsystem (CSRSS. and then the login process (Winlogon. EXE ). The Winlogon process then runs the local security judgment Subsystem Service (LSASS. EXE) and Service Control Manager (services. EXE ). When you log on from the console, the user enters session 0 (Session 0), which is shared by system processes. In this way, there is a security risk. If a poorly written Windows service runs in session 0 and a user interface is displayed on the interactive console, malicious programs can attack windows by sending Windows messages and obtain system administrator privileges.
To solve this potential problem, several Vista and 2008 system processes have been redesigned. SMSs. EXE is the first user-state process to be created. The difference is that SMSs. EXE runs its second instance to configure session 0, which is also used by system processes. Starting the SMSs. EXE instance of session 0 starts a CSRSS. EXE instance, and then starts Windows Startup Program (wininit. EXE) after the CSRSS. EXE instance exits ). Wininit. EXE continues to start services. EXE and LSASS. EXE, and a new process-local Session Manager (LSM..
When session 0 is created, a console session is also initialized. The initial SMSs. EXE instance created a new instance to configure the console session, just like session 0. The new session console session of SMSs. EXE starts CSRSS. EXE and Winlogon. EXE to prepare the user to log on. Then, Winlogon. EXE runs the logon User Interface host (logonui. EXE) to display the Windows security screen and prompts the user to press CTRL + ALT + DEL to log on.
--------------------------------------------------
Quick introduction to Winlogon Processes. In earlier versions of Windows, Winlogon. EXE loads the graphical verification DLL (graphical identification and authentication DLL (Gina), which is specified in the Registry) to display a logon interface and prompt the user to enter the login information. Vista and 2008 are no longer using Gina, and are replaced by a new credential provider architecture ). Winlogon. EXE starts logonui. EXE to load the certification information provider (in the following registry key, specify: HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Authentication \ credential providers ), logonui can load multiple providers at the same time and manage the interfaces displayed to users. It proves that the information provider may have some customized elements that need to be displayed on the login screen. Once the user's logon information is passed to Winlogon. EXE by logonui. EXE, The logonui. EXE process exits.
--------------------------------------------------
When a (terminal) user tries to log on to the system, the initial SMSs. the EXE instance will create a new instance of its own to configure a new session (just like session 0 and console session ). The new session of SMSs. exe will start a CSRSS. EXE process and a Winlogon. EXE process. Winlogon. EXE starts logonui. EXE to display the login interface (Note: The above seems to be repeated, but this is for the terminal server, please continue to look down ). This seems to cause unnecessary load in the system, and it will not bring obvious benefits on the client system. However, on Windows Server 2008 Terminal Server systems, multiple instances of SMSs. EXE can run simultaneously, allowing multiple users to log on to the system more quickly.
BTW: the fifth edition of Windows internals will be published next month, waiting for 0-day release. ^) ^