> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/winlogon.exe.md).
# winlogon.exe
### What is winlogon.exe ?
`winlogon.exe`, the **Windows Logon Manager**, is a critical and secure system process in Windows. It manages the entire user session lifecycle, including:
* **Secure Login (*****Ctrl+Alt+Delete*****):** Listens for and handles the secure attention sequence for login and security options.
* **User Authentication:** Verifies user credentials for login.
* **Profile Loading:** Loads the user's personalized settings upon successful login.
* **Shell Startup:** Initiates the user interface (typically `explorer.exe`).
* **Screen Saver Control:** Manages the activation and dismissal of the screen saver.
* **Workstation Locking/Unlocking:** Secures and unlocks user sessions.
* **Logoff Process:** Terminates user processes and saves data during logoff.
### winlogon.exe: Normal vs. Abnormal Behavior
Here's a comparison of the normal and abnormal behaviors of `winlogon.exe` based on the information provided:
| Feature | Normal Behavior | Abnormal Behavior |
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Image Path** | `%SystemRoot%\System32\winlogon.exe` (typically `C:\Windows\System32\winlogon.exe`) | Image file path other than `C:\Windows\System32` |
| **Parent Process** | Created by an instance of `smss.exe` that exits quickly, often not visible in analysis tools. | An actual parent process being visible (since the legitimate `smss.exe` instance usually terminates). |
| **Number of Instances** | One or more. The first instance starts shortly after boot (Session 1). Additional instances appear with new user sessions (e.g., RDP, Fast User Switching). | Subtle misspellings in the process name to hide rogue processes. |
| **User Account** | Runs as `Local System`. | Not running as `SYSTEM`. |
| **Start Time** | The first instance starts within seconds of boot time. Subsequent instances start when new user sessions are created. | |
| **Registry Shell Value** | The `Shell` value in the registry (related to `winlogon.exe`) should typically be `explorer.exe`. | `Shell` value in the registry is something other than `explorer.exe`. This could indicate malicious modification to run a different program at login. |
**Key Takeaways for Identifying ****Suspicious**** Activity:**
* **Incorrect File Path:** If `winlogon.exe` is running from any location other than `C:\Windows\System32`, it's highly suspicious.
* **Visible Parent Process:** While the parent is `smss.exe`, it usually exits quickly. A persistent visible parent process for `winlogon.exe` could be abnormal.
* **Unusual Number of Instances or Misspellings:** While multiple instances are normal for multiple sessions, be wary of unusual numbers or slight misspellings of the process name.
* **Incorrect User Account:** `winlogon.exe` should always run as `Local System`.
* **Modified Registry Shell Value:** If the `Shell` value associated with `winlogon.exe` in the registry is not `explorer.exe`, it indicates a potential compromise.
### winlogon.exe and MITRE ATT\&CK
`winlogon.exe` is a critical Windows process targeted by attackers for **Persistence** and **Privilege Escalation**. They achieve this by manipulating elements `winlogon.exe` interacts with during boot and logon:
* **Winlogon Helper DLLs (T1547.004):** Modifying Registry keys to load malicious DLLs at logon.
* **Accessibility Features (T1546.008):** Replacing accessibility executables to gain SYSTEM privileges at the logon screen.
* **Network Provider DLLs (T1556.008):** Injecting malicious DLLs to steal credentials during logon.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/winlogon.exe.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.