Information and startup locations can be examined on this page: verify all your files to make sure that they are legitimate, digitally signed and from the company Microsoft Corporation to which they should belong.
winlogon.exe security and file info
winlogon.exe
- Betriebssystem Microsoft® Windows®
- Microsoft Corporation
 |
|
 |
| Filetype : executable |
An executable file is a program that can be executed in your windows environment.
|
|
What is winlogon.exe?
Winlogon.exe is the part of the Windows Login Subsystem. This process is responsible for handling the secure attention sequence (pressing Ctrl+Alt+Del before seeing the login box), loading user profiles, locking the system when a screensaver is running, and verifying the operating system's activation key. On Windows XP, it provides support functions for Graphical Idenitification and Authentication (GINA).
This process is a critical system process and is essential to the operation of the system. Due to the critical nature of the process, it is not possible to terminate the process via the task manager. Disabling it otherwise will prevent you from logging in. The screenshot below illustrates how this process should appear in the task manager:
As you can see in the above screenshot, winlogon.exe always runs as SYSTEM. A process with this name running as a different user is a strong indicator of a malware infection.
Dangers of winlogon
As this is a critical system process that runs on every Windows NT-based (2000, XP, Vista) machine, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.
Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32. Other malware will use a name that appears similar to that of the legitimate one but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as winlogon.exe:
- W32.Netsky.D (%SystemRoot%)
- Netsky is a mass-mailing worm that sends itself to any address it can find.
- Backdoor.Win32.SdBot.ada (%SystemRoot%\winlogon.pif)
- This is an IRC backdoor Trojan which allows a remote attacker to control your system
- Troj/Madr-B (%SystemRoot%\System32\wins, %SystemRoot%\System)
- This is an IRC backdoor Trojan which connects to an IRC server to receive commands from a remote attacker.
There will always be exactly one instance of this process running at any given time. The presence of multiple instances is a strong indicator of a malware infection.
Common problems
- Winlogon.exe error on boot
- This can be caused by a malware infection, such as the Vundo Trojan.
- Blue Screen of Death "STOP 0xC000021A" citing winlogon.exe as the problem
- This is caused when something is wrong with your winlogon.exe file. This can happen if you have mismatched system files, a service pack installation failed, a backup was restored incorrectly, or an incompatible program was installed.
- If your system files are damaged, do a repair installation of Windows.
- This process uses 100% CPU time
- This can be caused a variety of problems. Try uninstalling any security software (anti-virus, firewall, anti-spyware) that you may have.
- Try disabling your COM port (there is a known problem with the NetMos PCI Serial Port and winlogon.exe).
- If there is a domain controller on your network, ensure that your network settings are such that your system can see it.
|
|
|
|
|
|
| MD5 File security rating |
A MD5 hash is a unique fingerprint of a file.
Different files/versions can have the same filenames. The MD5 hash verifies that the legitimate file is not altered.
Runscanner (Freeware) can help you checking the file's MD5 hashes
| Winlogon.exe files in Runscanner database |
 |
|
352 different item(s) in database |
|
|
3 different item(s) in database |
 |
|
7 different item(s) in database |
|
|
341 different item(s) in database |
|
|
Green items are verified safe to use |
|
Unrated items are not yet checked for safety. |
 |
Red items are not safe (typically virusses, spyware or other malware) |
|
This file is digitally signed by it's publisher.
This means that the file is from the company claiming to created it, this does not mean by default that the file is safe
|
|
|
|
| General file info |
| Product name: |
Betriebssystem Microsoft® Windows®
|
| Description: |
winlogon.exe
|
| Company: |
Microsoft Corporation
|
| Fix WINLOGON.EXE errors: Free registry scan |
|
|
|
Automatic startup locations
 |
| |
 |
001 Running Processes |
| |
 |
002 Autorun registry entries local machine |
| |
|
003 Autorun registry entries Current User |
| |
 |
004 All users startup startmenu |
| |
|
005 Current user startup startmenu |
| |
|
007 Roaming Start Menu\Programs\Startup |
| |
|
008 Autorun registry entries Default user |
| |
|
009 Autorun registry entries SYSTEM user |
| |
 |
010 Installed services |
| |
 |
035 Active Setup Installed Components |
| |
|
073 %windir%\Tasks |
| |
|
139 Windows\load |
| |
|
140 Windows\run |
| |
 |
146 AlternateShell |
 User comments for this file
More system processes
|
|
| Filename / Process |
|
| Guid / CLSID |
|
| MD5 hash |
|
|
|
703 MD5 version(s) found
only top 10 displayed
|
|
|
| Check your autostart files
|
|
|
|
