---

---

Analysis of the Security of  Windows NT 1 March 1999 36 FIGURE 12. Schematic view of the login procedure: step 1 (Numbers state chain of events) When a user presses the Ctrl-Alt-Delete key combination (called the Secure Attention Sequence (SAS)) WinLogon initiates the identification and authentication process and brings up a secure Desktop that prompts for username and password, see Figure 13. The password is collected by Win32 which encrypts the password with an internal encryption, later decrypts it and passes the password to WinLogon, see Figure 14. When WinLogon receives the username and the password it collects the domain of the user, creates a unique logon SID, creates and suspends a new process, and calls LSA, see Figure 15. FIGURE 13. Schematic view of the login procedure: step 2 (Numbers state chain of events) 1^{. Reg} is^{ter as} L^ogon P^rocess 2. Creates Window Sta- tion and Logon Desktop (Secure Desktop) 3.Change ACL Win Logon Win32 LSA 4. Register as Logon Process Window Station Logon Desktop 1.SAS pressed 2. ^SA S p ^re s ^se d 3^{. Acti} v^ate L^ogon D^eskto p Win Logon Win32 Window Station Logon Desktop