Winlogon and the protection ring

Archive for March, 2006

Winlogon and the protection ring

Posted by

Windows typically divides up processes into kernel mode (ring 0) and user model (ring 3). See Wikipedia for more information on ring modes and security. In general, kernel mode is protected while user mode is not.

Winlogon and the GINA (Graphical identification and authentication) process does not actually run in either kernel mode or user mode. Instead, the GINA runs in a protected area known as LSA mode, which is in the LSA’s process space (Local security authority). You can see this in Task Manager or Process Explorer as lsass.exe. If lsass.exe is compromised or halted, the process watchdog immediately blue screens the computer.

I found this while working on an unresponsive server. The server becomes unresponsive to all requesst requiring authentication. The IP stack is still working; I can ping it and a port scan shows that services are still listening. On the console, the Winlogon desktop is active but the Gina does not appear. RPC calls via MMCs fail to connect to the server.  I have left the computer in this state for as long as 16 hours. It never blue screens or stops responding all together. The only way to recover is power cycling. The problem ended up being hardware related and was resolved by replacing the server and restoring the OS.