Winlogon

The roles and responsibilities of Winlogon have changed significantly in Windows Vista and later operating systems.

Winlogon is launched by the Session Manager Subsystem as a part of the booting process of Windows NT.

Before Windows Vista, Winlogon was responsible for starting the Service Control Manager and the Local Security Authority Subsystem Service, but since Vista these have been launched by the Windows Startup Application (wininit.exe).

[5] Winlogon is a common target for several threats that could modify its function and memory usage.

Some registry keys allow multiple values to be supplied that allow a malicious program to be executed at the same time as a legitimate system file.

Classic "Begin logon" dialog box on Windows XP
Windows 11 lock screen, requiring user to press Ctrl+Alt+Delete .