anavem.
Critical RiskWindowsLegitimateCommonly Abused
winlogon.exeSYSTEM PROCESS

winlogon.exe - Windows Logon Process Security Analysis

winlogon.exe is the **Windows Logon Application**, responsible for managing user authentication, Ctrl+Alt+Del handling, and user profile loading. It is a **prime target for credential theft attacks** because it handles authentication credentials. Attackers abuse Winlogon registry keys for persistence and target its memory for credential harvesting.

Risk Summary

CRITICAL priority for SOC triage. winlogon.exe handles user authentication and is targeted by credential dumping tools. Monitor for unusual DLLs loaded, registry modifications to Winlogon keys (Shell, Userinit), and processes accessing winlogon memory.

Overview

What is winlogon.exe?

winlogon.exe is the Windows Logon Application, a critical system process that manages user authentication and session initialization.

Core Functions

Secure Attention Sequence (SAS):

  • Handles Ctrl+Alt+Del key combination
  • Provides secure pathway to logon interface

User Authentication:

  • Coordinates with credential providers
  • Validates credentials against SAM or Active Directory
  • Manages logon session establishment

Profile and Shell Loading:

  • Invokes userinit.exe to load user environment
  • Triggers Group Policy processing
  • Starts user shell (explorer.exe)

Session Management:

  • Handles workstation lock/unlock
  • Manages logoff and shutdown

Security Significance

  • Credential Handling: Has access to user credentials during authentication
  • Persistence Target: Winlogon registry keys are common persistence mechanisms
  • Mimikatz Target: Credential dumping tools target winlogon memory

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\winlogon.exe
Parentsmss.exe
InstancesONE per user session
UserNT AUTHORITY\SYSTEM
Childrenuserinit.exe, LogonUI.exe
Memory5-20 MB

Normal Child Processes

winlogon.exe
├── userinit.exe (initializes user)
├── LogonUI.exe (credential UI)
└── dwm.exe (Desktop Window Manager)

Critical: winlogon.exe should NOT spawn cmd.exe or PowerShell directly.

Common Locations

C:\Windows\System32\winlogon.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        C:\Windows\System32\winlogon.exe
Parent:      smss.exe
Instances:   ONE per session
User:        NT AUTHORITY\SYSTEM
Children:    userinit.exe, LogonUI.exe
Network:     None

SUSPICIOUS

Path:        C:\Windows\winlogon.exe
Parent:      explorer.exe, cmd.exe
Children:    cmd.exe, powershell.exe
Network:     Any connections
Misspelling: win1ogon.exe, winlogin.exe

Critical Registry Values

KeyNormalSuspicious
Winlogon\Shellexplorer.exeAnything else
Winlogon\Userinituserinit.exe,Additional entries
Winlogon\NotifyEmptyAny entries

Abuse Techniques

Attack Techniques

Technique #1: Credential Dumping (T1003)

Mimikatz targets winlogon.exe memory:

sekurlsa::logonpasswords

Detection Signals:

  • Sysmon Event ID 10: Process access to winlogon.exe
  • GrantedAccess flags: 0x1F0FFF, 0x1010

Technique #2: Winlogon Shell Persistence (T1547.004)

Registry Target:

HKLM\...\Winlogon
Shell = explorer.exe, C:\malware\payload.exe

Legitimate Value:

Shell = explorer.exe

Technique #3: Userinit Persistence

Registry Target:

HKLM\...\Winlogon
Userinit = C:\Windows\system32\userinit.exe,C:\malware\payload.exe

Detection Guidance

Detection Strategies

Priority #1: Registry Monitoring

Critical Keys:

HKLM\...\Winlogon\Shell
HKLM\...\Winlogon\Userinit
HKLM\...\Winlogon\Notify

PowerShell Check:

$winlogon = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
if ($winlogon.Shell -ne "explorer.exe") {
    Write-Warning "SUSPICIOUS Shell: $($winlogon.Shell)"
}

Priority #2: Memory Access Monitoring

Sysmon Event ID 10 Rule:

TargetImage = "winlogon.exe" AND
GrantedAccess IN [0x1F0FFF, 0x1010]
→ ALERT: CRITICAL - Potential credential dumping

Priority #3: Path Verification

Process = "winlogon.exe" AND
Path != "C:\Windows\System32\winlogon.exe"
→ ALERT: CRITICAL

Remediation Steps

Protection and Remediation

Defense: Enable Credential Guard

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\LSA" -Name "LsaCfgFlags" -Value 1

Defense: Registry Auditing

Enable auditing on Winlogon keys.

If Compromise Suspected

  1. DO NOT terminate winlogon.exe
  2. Capture memory dump
  3. Document Winlogon registry values
  4. Force password reset for affected users
  5. Check for lateral movement
  6. Audit all systems for Winlogon modifications

Investigation Checklist

Investigation Checklist

  • Verify path is C:\Windows\System32\winlogon.exe
  • Confirm parent is smss.exe
  • Check instance count matches sessions
  • Review Winlogon\Shell registry
  • Review Winlogon\Userinit registry
  • Check Winlogon\Notify entries
  • Examine Sysmon Event ID 10
  • Check for credential dumping artifacts
  • Search for winlogon.exe outside System32

MITRE ATT&CK Techniques

T1547.004T1003.001T1055T1036.005

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026