Professional Documents
Culture Documents
Windows Account Logon Flow v0.1
Windows Account Logon Flow v0.1
C:\Windows\system32\lsasrv.dll : Negotiate
C:\Windows\system32\negoexts.DLL : NegoExtender
C:\Windows\system32\kerberos.DLL : Kerberos
C:\Windows\system32\tspkg.DLL : TSSSP
LSASS Initialization Send Credentials from Winlogon to LSASS If the account is a local user account, the user’s
C:\Windows\system32\pku2u.DLL : pku2u credentials are passed to the Negotiate Security
Authentication Data Gathering Support Provider (SSP), which then passes them to the
Local System Account Logon
In the second part of Step 1, the C:\Windows\system32\cloudAP.DLL : CloudAP After a credential provider gets authentication data from MSV1_0 security support provider/authentication
Local Security Authority LogonUI’s purpose is to collect user credentials and the user, Winlogon invokes the LsaLogonUser function package (SSP/AP). Negotiate SSP selects between
Subsystem Service (LSASS) Even though the Local System C:\Windows\system32\wdigest.DLL : WDigest pass them to LSASS for validation. LogonUI is invoked to pass authentication data to LSASS. The Kerberos SSP/AP and MSV1_0 SSP/AP. For local
process is initialized. The LSASS account is a built-in special LsaLogonUser function uses LsaAuthenticationPort, Local User Logon: MSV1_0 Answer Special privileges assigned to new logon.
by Winlogon each time authenticated data needs to be account interactive logons, MSV1_0 SSP/AP is An account was successfully logged on localy
component is a process that account which represents the C:\Windows\system32\schannel.DLL : Schannel collected/gathered from a user. After LogonUI gets a LSASS’s ALPC port for communications. selected. You will find multiple 4622 events that inform Explorer.exe
A logon was attempted using explicit A logon was attempted using explicit Group membership information Userinit.exe
Winlogon Process initialization
4624
An Domain account was successfully logged on localy
4624
RemoteInteractive Logon (10)
https://twitter.com/rimpq
Special thanks to Andrei Miroshnikov for awesome book
"Windows Security Monitoring: Scenarios and Patterns" https://www.amazon.com/gp/product/B07BGHYF61