Logon sessions have never gotten much coverage in Windows documentation, but understanding them can help you get a better feel for how Windows works under the hood. A logon session is a data structure maintained by the kernel that represents an instance of a principal on a machine. It's where network credentials like your cached Kerberos tickets and the associated keys are stored (Item 59). Each token points to a single logon session, so ultimately each process is associated with a single logon session via its token, as shown in Figure 17.1.

Figure 17.1. Processes are linked to logon sessions via tokens.

A new ...