Search filename

 
Home page
Download
File information

Database statistics
Total:  809,521
Whitelist:  252,181

Top process list
svchost.exe
iexplore.exe
csrss.exe
rundll32.exe
lsass.exe
alg.exe
wuauclt.exe
ccapp.exe
explorer.exe
ctfmon.exe
spoolsv.exe
services.exe
smss.exe
jusched.exe
winlogon.exe
mdm.exe
rthdcpl.exe
hkcmd.exe
msascui.exe
alcxmntr.exe

What is Winlogon.exe

winlogon.exe - Betriebssystem Microsoft® Windows® - Microsoft Corporation
Run a Free Scan for WINLOGON.EXE related errors

File description
Winlogon.exe with description winlogon.exe is a process file from company Microsoft Corporation belonging to product Betriebssystem Microsoft® Windows®.
The file is digitally signed from Kaspersky Lab - VeriSign Time Stamping Services Signer - G2
We do not recommend removing digitally signed files from Kaspersky Lab

What is winlogon.exe?
Winlogon.exe is the part of the Windows Login Subsystem. This process is responsible for handling the secure attention sequence (pressing Ctrl+Alt+Del before seeing the login box), loading user profiles, locking the system when a screensaver is running, and verifying the operating system's activation key. On Windows XP, it provides support functions for Graphical Idenitification and Authentication (GINA).

This process is a critical system process and is essential to the operation of the system. Due to the critical nature of the process, it is not possible to terminate the process via the task manager. Disabling it otherwise will prevent you from logging in. The screenshot below illustrates how this process should appear in the task manager:



As you can see in the above screenshot, winlogon.exe always runs as SYSTEM. A process with this name running as a different user is a strong indicator of a malware infection.

Dangers of winlogon
As this is a critical system process that runs on every Windows NT-based (2000, XP, Vista) machine, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.

Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32. Other malware will use a name that appears similar to that of the legitimate one but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as winlogon.exe:
  • W32.Netsky.D (%SystemRoot%)
    • Netsky is a mass-mailing worm that sends itself to any address it can find.
  • Backdoor.Win32.SdBot.ada (%SystemRoot%\winlogon.pif)
    • This is an IRC backdoor Trojan which allows a remote attacker to control your system
  • Troj/Madr-B (%SystemRoot%\System32\wins, %SystemRoot%\System)
    • This is an IRC backdoor Trojan which connects to an IRC server to receive commands from a remote attacker.
There will always be exactly one instance of this process running at any given time. The presence of multiple instances is a strong indicator of a malware infection.

Common problems
  • Winlogon.exe error on boot
    • This can be caused by a malware infection, such as the Vundo Trojan.
  • Blue Screen of Death "STOP 0xC000021A" citing winlogon.exe as the problem
    • This is caused when something is wrong with your winlogon.exe file. This can happen if you have mismatched system files, a service pack installation failed, a backup was restored incorrectly, or an incompatible program was installed.
    • If your system files are damaged, do a repair installation of Windows.
  • This process uses 100% CPU time
    • This can be caused a variety of problems. Try uninstalling any security software (anti-virus, firewall, anti-spyware) that you may have.
    • Try disabling your COM port (there is a known problem with the NetMos PCI Serial Port and winlogon.exe).
    • If there is a domain controller on your network, ensure that your network settings are such that your system can see it.

Automatic startup locations
001 Running Processes
002 Autorun registry entries local machine
003 Autorun registry entries Current User
004 All users startup startmenu
005 Current user startup startmenu
007 Roaming Start Menu\Programs\Startup
008 Autorun registry entries Default user
009 Autorun registry entries SYSTEM user
010 Installed services
012 Autorun registry entries S-1-5-XX users
033 Winlogon Userinit
034 Winlogon Shell
035 Active Setup Installed Components
038 Winlogon Taskman
063 BootExecute
065 Image File Execution Options (debugger)
073 %windir%\Tasks
136 Local Machine Runonce (+subkeys)
139 Windows\load
140 Windows\run
146 AlternateShell
166 HKCU Policies\Explorer\Run
167 HKLM Policies\Explorer\Run
191 Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

Digital signatures found for this file
  Signer of certificate  Issuer of certificate 
Kaspersky Lab  VeriSign Time Stamping Services Signer - G2
Microsoft Corporation  Microsoft Timestamping Service
Microsoft Corporation  VeriSign Time Stamping Services Signer
Microsoft Windows  Microsoft Time-Stamp Service
Microsoft Windows  Microsoft Timestamping Service
Microsoft Windows  VeriSign Time Stamping Services Signer
Microsoft Windows 2000 Publisher  NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
Microsoft Windows 2000 Publisher  VeriSign Time Stamping Service
Microsoft Windows 2000 Publisher  VeriSign Time Stamping Service CA SW1
Microsoft Windows 2000 Publisher  VeriSign Time Stamping Services Signer
Microsoft Windows 2000 Publisher (Europe)  VeriSign Time Stamping Service
Microsoft Windows 2000 Publisher (Europe)  VeriSign Time Stamping Service CA SW1
Microsoft Windows Component Publisher  Microsoft Time-Stamp Service
Microsoft Windows Component Publisher  Microsoft Timestamping Service
Microsoft Windows Component Publisher  VeriSign Time Stamping Services Signer

MD5 security rating in our database
749 files (Not yet rated and not signed)
2 files (Not yet rated and digitally signed)
16 files (Safe and not signed)
431 files (Safe and digitally signed)
Some versions of this filename have not yet been checked for safety.
Warning: Some malware might rename itself to winlogon.exe. Always make sure that your file is from a verified publisher.

Application errors
Fix winlogon.exe application error:  Run a FREE registry scan
User comments.
There are no comments yet.


Please add your comments if you have more information about this file or if you know how to solve winlogon.exe application errors.


File rating :

Are you human? How much is 8+15:


Browse files by letter
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
More system processes
winlogon32.exe winlogons.exe winlogonsys.exe
winlogon-xpsp2.exe WinLogoutNotifier.dll winlogqn.exe
winlogt.exe Winlp62.sys winlpr.exe
winlpsrr.exe WinMail.exe WINMAILTRAYICON.EXE

Free inventory software