winlogon.exe

Every interactive session gets its own winlogon.exe. It's started by the same short-lived smss.exe copy that creates the session, so like wininit.exe it normally shows no parent in the process tree. It runs as NT AUTHORITY\SYSTEM from C:\Windows\System32\winlogon.exe and is a critical process, so terminating it will crash the system with a stop error (blue screen).

winlogon.exe oversees the secure sign-in process, including the classic Secure Attention Sequence, the Ctrl+Alt+Del prompt that ensures the user is interacting with the genuine Windows logon screen rather than a spoofed one. It starts LogonUI.exe to display the sign-in screen and coordinates with lsass.exe to verify the entered credentials. After a successful sign-in, it loads the user's NTUSER.DAT registry hive into HKCU and launches the shell (userinit.exe, which in turn starts explorer.exe) to bring up the desktop.

Beyond initial logon, it continues to manage the session throughout its lifetime. It handles locking and unlocking the workstation, loading and running the screen saver during idle periods, and coordinating logoff and shutdown at the end of the session. In modern Windows, some duties that historically belonged to winlogon have been distributed to other processes, but it remains the anchor of the interactive logon experience.

Its children on a modern system are a short list: LogonUI.exe at the sign-in screen, userinit.exe briefly at logon, plus dwm.exe (the Desktop Window Manager) and fontdrvhost.exe, which it starts for each session. Multiple winlogon.exe instances are normal whenever multiple sessions exist: one for the console, plus one per remote desktop connection.

Because of its trusted status and its role in authentication, winlogon.exe is a frequent target for impersonation by malware seeking to blend in or intercept credentials (T1036.005). A legitimate copy always resides in C:\Windows\System32 and carries a valid Microsoft digital signature. Treat copies in other locations, or slight misspellings such as winlogan.exe or winlogon32.exe, as anomalies.

The Winlogon registry key is a long-standing persistence target (T1547.004). The Userinit and Shell values under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon tell winlogon.exe what to run at logon, and malware appends its own entry to start with every sign-in. Anything in those values beyond userinit.exe and explorer.exe warrants a review.

A command shell running under winlogon.exe is a well-known backdoor pattern. Replacing accessibility tools like sethc.exe (Sticky Keys) or utilman.exe with cmd.exe produces a SYSTEM shell at the logon screen, no credentials required, and that shell appears in the process tree as a child of winlogon.exe (T1546.008).