| Debugging Tools for Windows |
WinLogon is the executable that handles the process of interactive users logging on and logging off, and handles all instances of CTRL+ALT+DELETE.
Although WinLogon is an integral part of the Windows operating system, it is actually a user-mode process.
Generally, user-mode processes can be debugged equally well by CDB or NTSD. However, to debug WinLogon, it is necessary to use NTSD and control it from the kernel debugger.
The reason for this is that when its output is redirected, NTSD will run without generating any console window on the target computer. CDB would require a console window, which would require the WinLogon process to be active.
Because you will be redirecting the user-mode debugger output to the kernel debugger, you will need to set up a kernel debugging connection. See Kernel-Mode Setup for details.
To attach a debugger to WinLogon, you must go through the registry so the process is debugged from the time it starts up. To set up WinLogon debugging, set HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinLogon.EXE\Debugger to:
The -d option passes control to the kernel debugger. The -x option causes the debugger to capture access violations as second-chance exceptions. The -g option causes the WinLogon process to run after the attachment. Do not add the -g if you want to start debugging before Winlogon.exe begins (for example, if you want to set an initial breakpoint).
In addition, you should set the GlobalFlag value under the winlogon.exe key to REG_SZ "0x000400F0". This sets heap checking and FLG_ENABLE_KDEBUG_SYMBOL_LOAD. However, since this second flag only affects the kernel debugger, symbols must also be copied to the target computer before starting the debugger.
The registry change requires a reboot to take effect.
After the next reboot, the debugger will break into WinLogon automatically.
See Controlling the User-Mode Debugger from the Kernel Debugger for an explanation of how to proceed.
You will have to set your symbol path to a location on your host computer or to some other location on your network. When WinLogon is being debugged, network authentication on the target computer will not work properly.