Thread: Looking Through Windows
View Single Post
Old 19-06-2008, 06:24 PM   #6 (permalink)
Paul Adams
Drone #467234
 
Paul Adams's Avatar
 
Join Date: Jul 2003
Location: C:\Windows
Posts: 1,750
Thanks: 9
Thanked 38 Times in 30 Posts
Paul Adams's system
Post Re: Looking Through Windows
=====================================================================
Logon - processes that run automatically
=====================================================================
Whether you hit CTRL-ALT-DEL or click on your icon and optionally enter your password, the user logon process is the same.

Windows calls the GINA (Graphical Identification and Authentication) to obtain the username and password, WINLOGON also generates a unique local logon SID (Security ID) for this user session which is passes to LSASS (Local Security Authentority Subsystem Service).
LSASS does the actual authentication and builds the user "logon process token" - if the authentication is successful then the SID from WINLOGON is put into the token.
Once the user's permission to log onto the machine has been verified, the group memberships that the user has are also logged in this token.

The token is used so that every time access is requested to an object, the user's group membership and permissions list does not have to be re-enumerated, wasting lots of time.

If the user account is local then the authentication is done against the local SAM (Security Account Manager) database.

If the user account is in a domain then the authentication is done securely against a domain controller (if no domain controller is present but the user has logged on successfully recently then cached credentials are used to authenticate the user).
WINLOGON then checks the following value and executes the program(s) found there:
HKLM / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / Userinit
The default is "userinit.exe".

Userinit.exe checks this registry key to see which shell (desktop) to launch:
HKLM / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / Shell
This key does not exist by default, and it defaults "explorer.exe".

Once the shell is launched, userinit exits - which is why explorer.exe appears to have no parent process in a session.

Next, the scripts from the following 3 locations are executed concurrently:

i. HKLM / Software / Microsoft / Windows / CurrentVersion / RunOnceEx
The keys exist under this location and have string values under them which are executed – the names of the values themselves are irrelevant, but the keys are processed synchronously in alphabetical order.
The values are removed from the registry immediately on being executed.

ii. User Properties / Profile / Logon Script
In the Profile tab of the properties of the user object in AD, the script referenced in the “Logon script” field is executed.
The default location is %systemroot%\sysvol\sysvol\{domain name}\scripts for any script not explicitly given a path.

iii. Group policy/policies – user configuration
The group policies applicable to the user logging on are evaluated and any scripts under User Configuration / Windows Settings / Scripts / Logon are executed.

It is possible that these 3 steps can start before any computer configuration scripts through group policy, if the user logs on as soon as the CTRL-ALT-DEL window appears – this can be prevented by enabling the following local/group policy option:
Computer Configuration\Administrative Templates\System\Logon: Always wait for the network at computer startup and logon
Processes that are to run just once and then be deleted (e.g. installation completion routines) are governed by the registry key:
HKLM / Software / Microsoft / Windows / CurrentVersion / RunOnce
The values under this location are executed synchronously in the order in which they were created.
The values are also removed from the registry immediately on being executed, unless the name begins with a “!” in which case it is removed once the process has completed.


Processes that are common for all users who log onto the local machine are governed by the registry key:
HKLM / Software / Microsoft / Windows / CurrentVersion / Run
The values under this location are executed synchronously in the order in which they were created.
Entries that begin with a “*” are executed even when the machine starts in Safe Mode.


Processes that are specific to the user currently logging on are governed by the registry key:
HKCU / Software / Microsoft / Windows / CurrentVersion / Run
The values under this location are executed synchronously in the order in which they were created.
Entries that begin with a “*” are executed even when the machine starts in Safe Mode.

Quick clarification & hint: "synchronously in the order in which [the values] were created" means they are executed one after another in "natural order" and not how they are displayed through Registry Editor (alphabetically).
The natural order can be determined by exporting the key to a text file and viewing it in Notepad.
Finally we get to the Startup folder - the shortcuts in the “All Users” and current user profiles are executed concurrently (Start Menu\Programs\Startup).
“All Users” profile is always on the local machine, but the user profile location can be on a network resource (defined in the user properties) or the local machine.

A quick note on "sessions":
Session 0 is both the session used to identify processes running as "the system" and also the one used by the user logged on at the console (or remotely via Terminal Services with the "/console" switch).
Every user session on a machine has a unique session ID, and its own instance of CSRSS (Client Server Runtime Subsystem Service) and WINLOGON.
If either of these 2 processes is killed, then the entire user session is killed.
If the "session 0" instance of either of these processes terminates, Windows will reboot - they are essential.
There is no IRL... only AFK
My Site
This signature (c)2006 Copywrong Paul Adams. All rights wronged, all wrongs reversed.
Paul Adams is offline   Reply With Quote