Winlogon States
Winlogon serves as the process that authenticates and logs on the interactive user. Winlogon will be in one of three states at any given time. These states are illustrated in the following diagram.
Figure 2 Winlogon States
When Winlogon is in the Logged Off state, users are prompted to identify themselves and enter authentication information. If a user provides correct user account information, and no restrictions prevent it, the user is logged on and a shell program (such as Progman.exe) is activated in the user's context. Winlogon changes into the Logged On state.
When Winlogon is in the Logged On state, the users can interact with the shell, activate additional applications, and generally perform their work. From users can either stop all work and log off, or lock their workstations (leaving all work in place). If the user decides to log off, Winlogon will terminate all processes associated with that logon session and the window station will be available for someone else. If, instead, the user decides to lock the workstation, a secure desktop is displayed.
When Winlogon is in the Workstation Locked state, the secure desktop is displayed either until the user unlocks the workstation (by providing identification and authentication information that match the information provided by the originally logged-on user), or until an administrator forces a logoff. If the workstation is unlocked, the user's typical desktop is again displayed, and work may resume. If, however, an administrator unlocks the workstation (by providing the identification and authentication information of an administrator account), the logged-on user's processes are terminated and the workstation becomes available for someone else.