Windows XP system logon principle and verification mechanism Overview

When using Windows XP, we always need to log on first. The logon authentication mechanism and principles of Windows XP are much more complex than those of Windows 98, so you can no longer press the "cancel" button to access the system (you can modify the Registry to disable it ). Understanding and understanding the login verification mechanism and principles of Windows XP is very important to us. It can enhance our understanding of system security and effectively prevent and solve hacker and virus intrusion.

1. Learn about several login types of Windows XP

1. Interactive Login

Interactive login is the most common type, that is, the User logs on to the local machine through the corresponding User Account and password. Some netizens think that "Interactive login" is "Local login", which is actually incorrect. "Interactive Logon" also includes "domain account logon", while "Local Logon" is limited to "Local Account Logon". For details, see the following.

It is worth mentioning that using Terminal Services and remote desktop to log on to a host can be seen as "Interactive login". The verification principles are the same.

During interactive login, the system first checks the logon User Account type, whether it is a Local User Account or a Domain User Account ), then adopt the corresponding verification mechanism. Because the User Account type is not used, the processing method is also different.

◇ Local User Account

Log on with a local user account. The system verifies the information stored in the local SAM Database. That's why the SAM file can be deleted when Windows forgets the Administrator password. However, Windows XP is not supported, probably because of security considerations. After logging on with a local user account, you can only access local resources with access permissions. (Figure 1)

◇ Domain user account

Log on with a domain user account, and the system verifies the data stored in the Active Directory of the domain controller. If this user account is valid, you can access resources that have access permissions in the entire domain after logon.

TIPS: if the computer is added to the domain, the Login Dialog Box displays the "log on to:" project, from which you can choose to log on to the domain or log on to the local machine.

2. network logon

If the computer is added to a working group or domain, you need to "log on to the network" to access resources of other computers. 2. Enter the user name and password of the Heelen host for verification. Note that the user account entered must be on the host of the other party rather than the user account on the host. This is because the user account validity is performed by the host interviewed during network login.

3. service logon

Service logon is a Special Logon method. In normal times, when the SYSTEM starts services and programs, it first runs after logging on to some user accounts. These user accounts can be domain user accounts, local user accounts, or SYSTEM accounts. Different user accounts have different access and control permissions for the system. In addition, you can only access local resources with access permissions when logging on with a local user account, cannot access resources on other computers, which is similar to "Interactive login.

The task manager in Figure 3 shows that the accounts used by the system processes are different. When the system starts, some basic and Win32 services will be logged on to the system in advance to achieve access and control of the system. Run services. msc to set these services. It is precisely because SYSTEM services play an important role. They generally log on to the SYSTEM account and have absolute control permissions on the SYSTEM. Therefore, many viruses and wood are competing to join the nobility. In addition to SYSTEM, some services also log on with the Local Service and Network Service accounts. After the system initialization, all programs run by the user are logged on with the user's own account.

From the principles mentioned above, it is not difficult to see why many computer articles tell General Users that Users in the Users Group should log on to their computers at ordinary times, even if they run viruses and Trojans, due to the permission restrictions imposed by the logon user account, the resources belonging to the user can only be damaged at most, but important information for maintaining system security and stability is not destructive.

4. Batch Login

Batch login is rarely used by users and is usually used by programs that execute batch operations. When performing batch login, the account used must have the right to batch processing; otherwise, you cannot log on.

We usually have the most contact with "Interactive Logon", so I will explain in detail the principle of "Interactive Logon.

Ii. Interactive login, which components are used by the System

1、winlogon.exe

Winlogon.exe is the most important component for "Interactive login". It is a security process and is responsible for the following work:

◇ Load Other Logon components.

◇ Provides a graphic interface for user operations related to security so that users can log on or log off.

◇ Send necessary information with GINA as needed.

2. GINA

GINA is called "Graphical Identification and Authentication"-Graphical recognition and verification. . During the login process, the "Welcome screen" and "Login Dialog Box" are displayed by GINA.

For example, stylexp., you can specify winlogon.exe to load the GINA developed by the merchant to provide different Windows XP Logon interfaces. Because of this modifyability, there is now a Trojan horse that steals accounts and passwords.

One is a trojan for "Welcome screen" login, which simulates the welcome interface of Windows XP. After the user enters the password, it is obtained by the trojan program, but the user does not know it at all. Therefore, we recommend that you do not use the welcome screen to log on and set "Secure Login ".

The other is for the GINA trojan in the Login Dialog Box. The principle is to load it during login to steal the user's account and password, save the information to WinEggDrop under % systemroot % system32. dat. This trojan will shield the system from the "Welcome screen" logon and "User Switching" functions, and also shield the "Ctrl-Alt-Delete" Security logon prompt.

The user does not have to worry too much about being installed with the GINA Trojan. I will provide a solution here for your reference:

◇ If you want to check whether your computer has installed the GINA Trojan, you can download a GINA Trojan and run InstGina-view, you can check whether the GinaDLL key value in the system has been installed with the DLL. It is mainly used to check whether the system has been installed with the Gina trojan for login. If the GINA Trojan is installed unfortunately, run InstGina-Remove to uninstall it.

3. LSA Service

LSA is called "Local Security Authority"-Local Security authorization. It is a very important service in Windows. All Security authentication-related processing must pass this service. The hacker obtains the user's account and password from winlogon.exe, and then processes the password through the key mechanism and compares it with the key stored in the account database. If the comparison result matches, LSA considers the user's identity as valid, allow users to log on to the computer. If the comparison result does not match, LSA considers the user's identity invalid. The user cannot log on to the computer.

Why are these three letters familiar? By the way, this is the relationship with the "Shock Wave" that has been raging for a while before. The "Shock Wave" worm uses the LSA remote buffer overflow vulnerability to obtain the highest SYSTEM privilege SYSTEM to attack the computer. There is a lot of information on the solution. I will not talk about it here.

4. SAM Database

SAM is called "Security Account Manager"-Security Account Manager. It is a protected sub-system that manages and user group information by storing Security accounts in the computer registry. We can regard SAM as an account database. For computers not added to the domain, it is stored locally, and for computers added to the domain, it is stored on the domain controller.

If a user attempts to log on to the local machine, the system compares the account information stored in the SAM Database on the local machine with the information provided by the user. If the user attempts to log on to the domain, the system compares the account information in the SAM Database stored in the domain controller with the information provided by the user.

5. Net Logon Service

Net Logon Service is mainly used together with NTLM (Default Authentication Protocol for nt lan Manager and Windows NT 4.0, the user verifies that the information in the SAM Database on the Windows NT domain controller matches the information provided by the user. The NTLM protocol is used to ensure compatibility with Windows NT.

6. KDC Service

The KDC (Kerberos Key Distribution Center-Kerberos Key Distribution Center) service is used in collaboration with the Kerberos authentication protocol to verify User Logon within the entire Active Directory. If you do not have a Windows NT Computer in the domain, you can only use the Kerberos protocol to ensure maximum security. This service can be enabled only after the Active Directory Service is started.

7. Active Directory Service

If the computer is added to the Windows2000 or Windows2003 domains, you need to start the service to support the Active Directory function.

Iii. What did winlogon do before and after login?

If you set "Secure Login", a SAS (Secure Attention Sequence-Security Warning Sequence) will be registered in the system during winlogon initialization ). SAS is a group of key combinations. The default value is Ctrl-Alt-Delete. It ensures that the information entered during interactive login is accepted by the system and not obtained by other programs. Therefore, using "Secure Login" to log on ensures that the user's account and password are not stolen by hackers. To enable "secure logon", run the "control userpasswords2" command to open the "User Account" dialog box and select "advanced ". (4) Select the "Ask the user to press Ctrl-Alt-Delete" option and click OK. In the future, there will be a prompt before each Login Dialog Box appears, asking the user