Authentification Process is way more complicated.
Local interactive logon is performed by the interaction between the logon process (WinLogon), the logon user interface process (LogonUI), the credential providers, LSASS, one or more authentication packages, and SAM or Active Directory. Authentication packages, in this case, are the Dynamic-Link Libraries (DLLs) that perform authentication checks. For example, for non-domain joined and interactive logins, the authentication package Msv1_0.dll is used.
Winlogon is a trusted process responsible for managing security-related user interactions. These include
Launching LogonUI to enter passwords at login
Changing passwords
Locking and unlocking the workstation
It relies on credential providers installed on the system to obtain a user’s account name or password. Credential providers are COM objects that are located in DLLs.
Winlogon is the only process that intercepts login requests from the keyboard sent via an RPC message from Win32k.sys. Winlogon immediately launches the LogonUI application at logon to display the user interface for logon. After Winlogon obtains a user name and password from the credential providers, it calls LSASS to authenticate the user attempting to log in.
Each interactive logon session creates a separate instance of the Winlogon service
SAM Database (Security Account Manager)
-> Credentials stored as NTLM hash:
If Windows system is assigned to workgroup during startup:
%SystemRoot%/system32/config/SAM
If system has been joined to a domain, the Domain Controller must validate the credentials from Active Directory dataebase sroted:
%SystemRoot%\ntds.dit
Windows credential Manager
Is a feature on Windows that allows users to save credentials to various network resources and websites. those saved credentials are stored in
PS C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\
NTDS
Very common in Windows, sends all thne request to a DC for verification.
All have the same NTDS.dit file that includes the password hashes.