"The Service Control Manager initializes the system services including the Terminal Services service which is implemented in termsrv.dll and hosted in an instance of SVCHOST.EXE.  The Terminal Services stack driver, termdd.sys, is loaded and creates a listener thread to listen for incoming connections on TCP port 3389.  When a session request is detected, the RDP listener thread creates a new RDP stack instance to handle the new session request.  The listener thread hands over the incoming session to the new RDP stack instance and continues listening on TCP port 3389 for further connection attempts.

When a user logs on, either at the console or via Terminal Services, the initial Session Manager process creates a new instance of itself to configure the new session.  The new SMSS.EXE process starts a CSRSS.EXE process, a Windows Logon process (WINLOGON.EXE) and a per-session instance of the Window Manager (WIN32K.SYS).  WINLOGON.EXE starts the processes listed in the following registry key (USERINIT.EXE by default): HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Userinit.  USERINIT.EXE starts the process defined as the shell in the following registry key (EXPLORER.EXE by default on full installations of Windows Server 2008 and CMD.EXE on Server Core installations of Windows Server 2008) and then exits: HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Shell.

Terminal Server client sessions use separate drivers on the server, one for the display (rdpdd.dll) and one for the keyboard and mouse (rdpwd.sys).  The user interface rendering calls are captured by rdpdd.dll and transmitted to the client over the RDP protocol.  The keyboard and mouse input on the client is transmitted over the TCP connection to rdpwd.sys for translation.  These drivers provide the remote server interaction functionality for the client session."

Read the entire article here.