Locally: managed by LSA
Local interactive logon managed by WinLogon system process
Only process that intercepts login requests from the keyboard, whichy are sent via RPC messages from Win32k.sys
| Authentication Packages | Description |
|---|---|
Lsasrv.dll |
The |
| LSA Server service both enforces security policies and acts as the | |
| security package manager for the LSA. The LSA contains the Negotiate | |
| function, which selects either the NTLM or Kerberos protocol after | |
| determining which protocol is to be successful. | |
Msv1_0.dll |
Authentication package for local machine logons that don't require custom authentication. |
Samsrv.dll |
The Security Accounts Manager (SAM) stores local security accounts, enforces locally stored policies, and supports APIs. |
Kerberos.dll |
Security package loaded by the LSA for Kerberos-based authentication on a machine. |
Netlogon.dll |
Network-based logon service. |
Ntdsa.dll |
This library is used to create new records and folders in the Windows registry. |
Each interactive logon session creates a sperate instance of the WinLogon service.
The GINA(Graphical Identification and Authentication) archigtecture is loaded into the process area used by WinLogon, receives and processes the credentials, and invokes the authentication interfaces via the LSALogonUser function.
Security Account Manager
Located at: %SystemRoot%\\system32\\config\\SAM
Mounted on HKLM\SAM
Requires SYSTEM priv to access