Winlogon (Windows Logon) is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running (requiring another authentication step). In Windows Vista and later operating systems, the roles and responsibilities of Winlogon have changed significantly.
Further information: Booting process of Windows NT § Authentication
Winlogon is launched by the Session Manager Subsystem as a part of the booting process of Windows NT.
Before Windows Vista, Winlogon was responsible for starting the Service Control Manager and the Local Security Authority Subsystem Service, but since Vista these have been launched by the Windows Startup Application (
The first part of the logon process Winlogon conducts is starting the process that shows the user the logon screen. Before Windows Vista this was done by GINA, but starting with Vista this is done by LogonUI. These programs are responsible for getting user credential and passing them to the Local Security Authority Subsystem Service, which authenticates the user.
After control is given back to Winlogon, it creates and opens an interactive window station,
WinSta0, and creates three desktops,
ScreenSaver. Winlogon switches from the Winlogon desktop to the
Default desktop when the shell indicates that it is ready to display something for the user, or after thirty seconds, whichever comes first.
The system switches back to the
Winlogon desktop if the user presses Control-Alt-Delete or when a User Account Control prompt is shown. Winlogon now starts the program specified in the Userinit value which defaults to
userinit.exe. This value supports multiple executables.
Winlogon is a common target for several threats that could modify its function and memory usage. Winlogon has support for plugins that get loaded and notified about specific events. Some rootkits bundle Winlogon plugins because they are loaded before any user logs in. Some registry keys allow multiple values to be supplied that allow a malicious program to be executed at the same time as a legitimate system file.