Thank you for your answer!! So, the main idea is that winlogon checks for user authentication, so if I kill lsass the communication between these two processes will lose, and by this way lsass can't authenticate the user and it will restart the system, right?