Gina and Winlogon -- Kernel or User Mode?

[jwgoerlich]

Hello,

Are the Gina and Winlogon kernel mode processes, or user mode? Any link
to Microsoft documentation would be appreciated.

Thanks in advance,

J Wolfgang Goerlich

 

[Roger Abell [MVP]]

Not user mode. Not conventional kernal mode either.
Very specially guarded running out of lsa context.

 

[jwgoerlich]

I ask because I am troubleshooting an issue wherein the server becomes
unresponsive and yet does not crash.

Alright, the GINA runs under LSA's process space, LSA mode. I assume
the same is true for the Net Logon service. Is there anything that
could corrupt this in memory without causing a blue screen?

Thank you,

J Wolfgang Goerlich

 

[Roger Abell [MVP]]

Sure. There are even rootkits that intercept the Winlogon activity.
The server becomes unresponsive to logins ? or to everything via
the network? or to everything ? I am just trying to see why you
have focused on the local security authority's privates.

 

[jwgoerlich]

The server becomes unresponsive to logins ? or to everything via
the network? or to everything ?

The server becomes unresponsive to all requesst requiring
authentication. The IP stack is still working; I can ping it and a port
scan shows that services are still listening. On the console, the
Winlogon desktop is active but the Gina does not appear. RPC calls via
MMCs fail to connect to the server.

I have left the computer in this state for as long as 16 hours.It never
blue screens or stops responding all together. The only way to recover
is power cycling..

My assumption is that something is becoming corrupted in memory, likely
within the LSA. I am just trying to narrow down the problem as much as
possible.

J Wolfgang Goerlich