When a user is logged on the logon thread creates a unique SID to represent the logon. This is called the LogonSid. After the user has been logged on, the logon thread sets its windowstation's owner to be LogonSid and its discretionary ACL to some variation of:
ACE 0:
ACE Type = AccessAllowed
sid = LogonSid
AccessMask =
WINSTA_ACCESSCLIPBOARD~| WINSTA_CREATEDESKTOP~|
WINSTA_ENUMDESKTOPS~| WINSTA_ENUMERATE~|
WINSTA_READATTRIBUTES~| WINSTA_WRITEATTRIBUTES~|
WINSTA_ACCESSGLOBALATOMS~| WINSTA_EXITWINDOWS~|
WINSTA_READSCREEN~| STANDARD_RIGHTS_REQUIRED
Not Inheritable
ACE 1:
ACE Type = AccessAllowed
sid = LogonSid
AccessMask =
GenericRead~| GenericWrite~| GenericExecute~| GenericAll
Inheritable Only
Inheritable by containers
Inheritable by non-containers
Inheritance is to be propagated
The logon calls the NT Session Manager (SM) and passes it the windowstation name. The SM puts the windowstation name in the shell environment and then starts the Win32 shell or, if specified, a standard Windows program.