Windows Internals
intermediate

Winlogon, LogonUI, and session sign-in

The visible and semi-visible path from secure attention to a fully signed-in session.

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Responsibilities of Winlogon

learn.microsoft.com

Microsoft Learn

Credentials processes in Windows authentication

learn.microsoft.com

Why it matters

This ties together startup, the secure desktop, user sign-in, and the point where Windows begins launching the user's environment.

Mental model

Winlogon coordinates secure interaction, LogonUI gathers credentials, and the authenticated result is handed into the security subsystem.

How it works

  1. 1Secure attention and sign-in UI are presented on a protected desktop.
  2. 2Credential providers gather the data needed for authentication.
  3. 3After success, Windows transitions from sign-in infrastructure to the user's desktop and shell environment.

Key terms

LogonUI
The sign-in user interface that renders credential provider tiles and prompts.
Secure desktop
A protected desktop used for sensitive prompts such as logon and UAC.

Why Ctrl+Alt+Del matters

That secure attention sequence ensures the sign-in path is brokered by trusted Windows components rather than an ordinary process.

Common misconception

Winlogon is not just 'the login window'. It is coordinating secure interaction, session transition, and later shell bring-up.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.

Next step in your guided path

intermediate

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Related topic

intermediate

Session Manager, Winlogon, and the shell

The early user-mode path from system process creation to an interactive desktop.

Related topic

Related topics

Session Manager, Winlogon, and the shell

The early user-mode path from system process creation to an interactive desktop.

Window stations & desktops

The session-side objects that organize visible desktops, input, and GUI isolation.

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Previous

Authentication & logon

How Windows turns credentials into authenticated sessions, security contexts, and usable access tokens.

Next

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.