From 'Windows NT security' by Mark Russinovich:
"...When NT earned its C2 security rating, NCSC (National Computer Security
Center) also recognized NT as meeting two requirements of B-level security:
Trusted Path functionality and Trusted Facility Management functionality.
Trusted Path functionality prevents Trojan horse programs from intercepting
a user's name and password as the user logs on. NT's Trusted Path
functionality exists in the form of its Ctrl+Alt+Del logon-attention
sequence. This sequence of keystrokes, the Secure Attention Sequence (SAS),
causes an NT logon dialog box to pop up, which initializes a process that
helps NT recognize would-be Trojan horses. NT bypasses any Trojan horse that
presents a fake logon dialog when a user enters the attention sequence...
....In the first step of the secure logon process, NT recognizes the SAS and
prompts the user for identification and a password. The winlogon.exe program
is responsible for presenting NT's logon dialog boxes. Instead of containing
a built-in user interface, Winlogon loads the interface dynamically. This
strategy lets third-party vendors implement their logon interfaces. Logon
interface packages are known as Graphical Identification and Authentication
(GINA) libraries. The default logon interface, which presents the logon
dialog box most of us are familiar with, is MSGINA (it's located in
winnt\system32\msgina.dll). NT's ability to replace the logon interface lets
third-party vendors replace MSGINA with a proprietary GINA. For example, a
custom GINA might recognize a voice command instead of Ctrl+Alt+Del as the
logon sequence, or it might use a retinal scanning device to identify
users..."
Put simply, control and subsequent keyboard input is always passed to the
system's WINLOGON process when the system recognizes SAS.
