First, understand Windows XP
Several login types
1. Interactive Login
Interactive login is the most common type of login we usually log in. Users log in locally with the corresponding User Account and password. Some netizens think that "interactive login" is "local login", in fact, this is wrong. "Interactive login" also includes "domain account login", while "local login" is limited to "local account login".
It is necessary to mention that the terminal service and remote desktop login host can be regarded as "interactive login", the principle of verification is the same.
During interactive login, the system will first check the type of user account that is logged in, whether it is a local user account (Local User Account) or a domain user account (Domain User Account), and then use the corresponding authentication mechanism. Because of different user account types, the processing methods are different.
本地 Local User Account
Log in with a local user account and the system will verify the information stored in the local SAM database. So why Windows 2000 forgets the Administrator password can be solved by deleting the SAM file. However, it is not possible for Windows XP, it may be for security reasons. After logging in with a local user account, you can only access local resources with access rights. (Figure 1)
Figure 1
Domain User Account
Login with the domain user account, the system is verified by the data stored in the Active Directory of the domain controller. If the user account is valid, after logging in, you can access resources with access rights in the entire domain.
Tip: If the computer joins the domain, the login dialog will display the "Login to:" item, from which you can choose to log in to the domain or log in to the machine.
2. Network Login
If your computer is joined to a workgroup or domain, you will need a "network login" when you want to access resources from other computers. As shown in Figure 2, when you want to log in to the host named Heelen, enter the user name and password of the host and verify it. The reminder here is that the user account entered must be on the other host, not the user account on the host. Because the network login is performed, the validity of the user account is controlled by the interviewed host.
Figure 2
3. Service Login
Service Login is a special login method. Usually, when the system starts the service and the program, it is run after logging in with certain user accounts. These user accounts can be domain user accounts, local user accounts or SYSTEM accounts. Login with different user accounts, its access to the system, control permissions are also different, and, with a local user account login, can only access local resources with access rights, can not access resources on other computers, this and " Interactive login is similar.
As can be seen from the task manager of Figure 3, the account used by the system process is different. When the system starts, some base and Win32 services will be pre-logged into the system to achieve access and control of the system. These services can be set by running Services.msc. Because system services have a pivotal position, they are generally logged in with the SYSTEM account, so they have absolute control over the system, so many viruses and Trojans are also vying to join the aristocratic system. In addition to SYSTEM, some services are also logged in with the Local Service and Network Service accounts. After the system is initialized, all the programs that the user runs are logged in with the user's own account.
Figure 3
The principle mentioned above is not difficult to see why many computer articles tell the average user that when using the computer, you should log in as the users of the Users group, because even if you run a virus or Trojan, Due to the corresponding permission restrictions of the logged-in user account, at most, the resources belonging to the user itself can be destroyed, and the important information for maintaining the security and stability of the system is not destructive.
4. Batch Login
Batch logins are rarely used by general users and are typically used by programs that perform batch operations. When performing batch login, the account used must have the right to batch work, otherwise you cannot log in.
Usually we are most exposed to "interactive login", so the author will explain the principle of "interactive login" in detail.
Second, interactive login, which components are used in the system
1. Winlogon. Exe
Winlogon.exe is the most important component of "interactive login". It is a secure process and is responsible for the following work:
◇Load other login components.
◇ Provides a graphical interface for user-related operations, so that users can log in or log out.
发送 Send the necessary information to GINA as needed.
2. GINA
GINA's full name is "Graphical Identification and Authentication" - graphical recognition and verification. It is a dynamic database file that is called by Winlogon.exe to provide a function to identify and verify the user's identity, and to feed the user's account and password to Winlogon.exe. During the login process, the "Welcome Screen" and "Login Dialog" are displayed by GINA.
Some theme setting software, such as StyleXP, can specify Winlogon.exe to load GINA developed by the merchant itself, thus providing different Windows XP login interface. Due to this modifiability, there is now a Trojan that steals accounts and passwords.
A Trojan for the "Welcome Screen" login method, which simulates the Windows XP welcome interface. When the user enters the password, it is obtained by the Trojan, but the user is completely unaware. Therefore, it is recommended that you do not log in with the welcome screen, and you must set up "secure login".
The other is the GINA Trojan for the login dialog. The principle is to load at login to steal the user's account and password, and then save this information to WinEggDrop under %systemroot%\\system32. In the dat. The Trojan will block the login and "user switching" functions in the "Welcome Screen" mode, and will also block the secure login prompt of "Ctrl-Alt-Delete".
Users don't have to worry too much about being installed with the GINA Trojan. The author here provides solutions for everyone:
The so-called "resolving the bell still needs to ring the bell", to view your own computer Have you installed the GINA Trojan, you can download a GINA Trojan, and then run InstGina -vIEw, you can check whether the GinaDLL key in the system has been installed DLL, mainly to check whether the system is installed by Gina Trojan as a login. If you are unlucky enough to install the GINA Trojan, you can run InstGina -Remove to uninstall it.
3. LSA Service
The LSA is called "Local Security Authority" - a local security authority. A very important service in Windows. All security authentication related processing must pass this service. It obtains the user's account and password from Winlogon.exe, and then processes it through the key mechanism and compares it with the key stored in the account database. If the comparison results match, the LSA considers the user's identity valid and allows the user to log in. computer. If the results of the comparison do not match, the LSA considers the user's identity to be invalid. At this point, the user cannot log in to the computer.
How do you see these three letters familiar? By the way, this is the service that has a relationship with the "shock wave" that has been raging in the past. The "Sasser" worm uses the LSA remote buffer overflow vulnerability to obtain the highest system authority SYSTEM to attack the computer. The solution to the problem is a lot of information online, not much to talk about here.
4. SAM Database
The full name of SAM is called "Security Account Manager" - a secure account manager, which is a protected subsystem that manages users and user groups through a secure account stored in the computer registry. information. We can think of SAM as an account database. For computers that are not joined to the domain, it is stored locally, and for computers that are joined to the domain, it is stored on the domain controller.
If the user attempts to log in to the machine, the system will use the account information stored in the SAM database stored on the machine to compare with the information provided by the user; if the user attempts to log in to the domain, the system will use the store. The account information in the SAM database on the domain controller is compared with the information provided by the user.
5. Net Logon Service
The Net Logon service is primarily used in conjunction with NTLM (NT LAN Manager, the default authentication protocol for Windows NT 4.0). Users authenticate the information on the SAM database on the Windows NT domain controller and the information provided by the user. Whether it matches. The NTLM protocol is primarily reserved for compatibility with Windows NT.
6. KDC Service
The KDC (Kerberos Key Distribution Center) service is primarily used in conjunction with the Kerberos authentication protocol to authenticate user logins across the entire Active Directory. If you ensure that there are no Windows NT computers in the entire domain, you can only use the Kerberos protocol to ensure maximum security. This service will not be enabled until the Active Directory service is started.
7. Active Directory Services
If your computer is joined to a Windows 2000 or Windows 2003 domain, you need to start the service to support Active Directory features.
Third, before and after login, what does Winlogon do?
If the user sets "secure login", it will be registered in the system when Winlogon is initialized. A SAS (Secure Attention Sequence). SAS is a set of key combinations, which by default is Ctrl-Alt-Delete. Its role is to ensure that the information entered by the user when logging in interactively is accepted by the system and is not obtained by other programs. Therefore, using "secure login" to log in, you can ensure that the user's account and password will not be stolen by hackers. To enable the "safe login" function, you can run the "Control userpassWords2" command, open the "User Account" dialog box, select "Advanced". (Figure 4) Select "Require users to press Ctrl-Alt-Delete" option and then confirm. Later, before each login dialog appears, there is a prompt asking the user to press the Ctrl-Alt-Delete key combination in order to appear the Windows XP GINA login dialog when logging in, because only the GINA of the system itself can intercept this. Key combination information. As mentioned above, the GINA Trojan will block the "safe login" prompt, so if the "safe login" prompt is blocked for no reason, it is also a precursor to the Trojan. The "safe login" feature was used to protect system security as early as Windows 2000.
Figure 4
After registering SAS with Winlogon, GINA is called to generate 3 desktop systems, which are used when the user needs them. They are:
◇ Winlogon desktop users are entering When logging in to the interface, I entered Winlogo
When I downloaded the driver today, I found that XP has 32 bits and 64 bits. How do I see if my syst
In order to rationalize and standardize the management of folders and files, this inevitably
friend called his Win XP after adding a password to the super user administrator, it is very slow to
I do not know if you have such experience when using Windows XP system, using Windows Explorer, righ
Have you met? The 10 most prone to PC disasters (7)
This is called professional! Create a mouse right mouse button (5)
How to let Win XP stop searching for ZIP files?
Put Windows XP on Windows Vista icon
Alternative usage of the PrintScreen key
Windows XP installation CD 5 steps slimming method
Windows XP can't solve the problem of normal shutdown
System master XP latest application skills six strokes
Win XP system registry ten settings skills
Software conflicts teach you to uninstall Win7 update patch
What is the difference between Win10 and Win8?
The difference between 32-bit and 64-bit: How to choose operating system
Win7 system U disk poisoning folder is hidden by the virus solution
World of Warcraft 11th to 16th holiday activities open pet battle triple experience
Windows 7 Telnet installation method
Windows 2008 ServerCore Management Experience
How does the Win8 system use the Windows to go function?
Windows IIS 6 Security Protector - URL Authorization Raiders!