The Windows Process Journey — LogonUI.exe (Windows Logon User Interface Host)

“LogonUI.exe” (Windows Logon User Interface Host) is responsible for the graphical user interface which asks the user to logon into the system (aka logon screen/lock screen). The executable file is located at “%SystemRoot%\System32\LogonUI.exe” (On 64 bit systems there is only a 64 bit version with no 32 bit version like with other executables such as cmd.exe).

Moreover, “LogonUI.exe” is executed under the Local System user (S-1–5–18) for every session (excluding session 0). “winlogon.exe” is the process which is responsible for running “LogonUI.exe” as we can see in the screenshot below, which was taken from Process Monitor (https://learn.microsoft.com/en-us/sysinternals/downloads/procmon). Also, if you want to see how “LogonUI.exe” GUI looks in different versions of Windows you can check the following link https://media.askvg.com/articles/images3/Windows_Login_Screen.png.

In the perspective of the data flow between “LogonUI.exe” and “winlogon.exe” the basic phases are as follows (after “LogonUI.exe” was launched by “winlogon.exe”). “LogonUI.exe” gets credentials from the user (like username and password) and sends them to “winlogon.exe”. “winlogon.exe” performs the authentication (since Windows Vista it is done using a credential provider, before that it was done by msgina.dll). If the authentication process succeeds, it sends a message back to “LogonUI.exe” to indicate that the user has been authenticated (https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication). We will get deeper into this flow after talking about “winlogon.exe”, sessions, ALPC (which is the communication line between the processes) and more.

In addition, settings for LogonUI.exe are stored in the registry in the following branch: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI”. Among those settings we can find the user list that should be shown, the last user that logged-on and the background image.

Lastly, if you want to see a reference code for “LogonUI.exe” you can check out ReactOS (https://github.com/reactos/reactos/tree/3647f6a5eb633b52ef4bf1db6e43fc2b3fc72969/base/system/logonui).

See you in the next writeup :-). You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru).