What is Winlogon.exe

Windows NT Logon Application - Microsoft® Windows® Operating System - Microsoft Corporation

File description

Winlogon.exe with description Windows NT Logon Application is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is digitally signed from Microsoft Windows Component Publisher - Microsoft Timestamping Service
We do not recommend removing digitally signed files from Microsoft Windows Component Publisher

What is winlogon.exe?
Winlogon.exe is the part of the Windows Login Subsystem. This process is responsible for handling the secure attention sequence (pressing Ctrl+Alt+Del before seeing the login box), loading user profiles, locking the system when a screensaver is running, and verifying the operating system's activation key. On Windows XP, it provides support functions for Graphical Idenitification and Authentication (GINA).

This process is a critical system process and is essential to the operation of the system. Due to the critical nature of the process, it is not possible to terminate the process via the task manager. Disabling it otherwise will prevent you from logging in. The screenshot below illustrates how this process should appear in the task manager:



As you can see in the above screenshot, winlogon.exe always runs as SYSTEM. A process with this name running as a different user is a strong indicator of a malware infection.

Dangers of winlogon
As this is a critical system process that runs on every Windows NT-based (2000, XP, Vista) machine, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.

Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32. Other malware will use a name that appears similar to that of the legitimate one but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as winlogon.exe:
  • W32.Netsky.D (%SystemRoot%)
    • Netsky is a mass-mailing worm that sends itself to any address it can find.
  • Backdoor.Win32.SdBot.ada (%SystemRoot%\winlogon.pif)
    • This is an IRC backdoor Trojan which allows a remote attacker to control your system
  • Troj/Madr-B (%SystemRoot%\System32\wins, %SystemRoot%\System)
    • This is an IRC backdoor Trojan which connects to an IRC server to receive commands from a remote attacker.
There will always be exactly one instance of this process running at any given time. The presence of multiple instances is a strong indicator of a malware infection.

Common problems
  • Winlogon.exe error on boot
    • This can be caused by a malware infection, such as the Vundo Trojan.
  • Blue Screen of Death "STOP 0xC000021A" citing winlogon.exe as the problem
    • This is caused when something is wrong with your winlogon.exe file. This can happen if you have mismatched system files, a service pack installation failed, a backup was restored incorrectly, or an incompatible program was installed.
    • If your system files are damaged, do a repair installation of Windows.
  • This process uses 100% CPU time
    • This can be caused a variety of problems. Try uninstalling any security software (anti-virus, firewall, anti-spyware) that you may have.
    • Try disabling your COM port (there is a known problem with the NetMos PCI Serial Port and winlogon.exe).
    • If there is a domain controller on your network, ensure that your network settings are such that your system can see it.

Automatic startup locations

001 Running Processes
002 Autorun registry entries local machine
003 Autorun registry entries Current User
004 All users startup startmenu
005 Current user startup startmenu
007 Roaming Start Menu\Programs\Startup
008 Autorun registry entries Default user
009 Autorun registry entries SYSTEM user
010 Installed services
012 Autorun registry entries S-1-5-XX users
033 Winlogon Userinit
034 Winlogon Shell
035 Active Setup Installed Components
038 Winlogon Taskman
063 BootExecute
065 Image File Execution Options (debugger)
073 %windir%\Tasks
136 Local Machine Runonce (+subkeys)
139 Windows\load
140 Windows\run
146 AlternateShell
166 HKCU Policies\Explorer\Run
167 HKLM Policies\Explorer\Run
191 Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

Digital signatures found for this file

    Certificate 
109 Microsoft Windows Component Publisher - Microsoft Timestamping Service
63 Microsoft Windows - Microsoft Time-Stamp Service
44 Microsoft Windows Publisher - VeriSign Time Stamping Services Signer
32 Microsoft Windows 2000 Publisher - VeriSign Time Stamping Services Signer
32 Microsoft Windows XP Publisher - VeriSign Time Stamping Services Signer
29 Microsoft Windows XP Publisher - VeriSign Time Stamping Service
15 Microsoft Windows 2000 Publisher - VeriSign Time Stamping Service
12 Microsoft Windows XP Publisher (Europe) - VeriSign Time Stamping Service
9 Microsoft Windows - Microsoft Timestamping Service
8 Microsoft Windows Component Publisher - Microsoft Time-Stamp Service
5 Microsoft Windows Component Publisher - VeriSign Time Stamping Services Signer
4 Microsoft Windows Publisher - VeriSign Time Stamping Service
3 Microsoft Windows - VeriSign Time Stamping Services Signer
2 Microsoft Corporation - Microsoft Timestamping Service
2 Microsoft Windows 2000 Publisher (Europe) - VeriSign Time Stamping Service

MD5 security rating in our database

824 files (Not yet rated and not signed)
2 files (Not yet rated and digitally signed)
22 files (Safe and not signed)
453 files (Safe and digitally signed)
Some versions of this filename have not yet been checked for safety.
Warning: Some malware might rename itself to winlogon.exe. Always make sure that your file is from a verified publisher.

User ratings for this file

File rating: Average rating of winlogon.exe: by 1301 files and users.

Application errors

Fix winlogon.exe application error:  Run a FREE registry scan

User comments

There are no user comments yet for this file.


Please add your comments if you have more information about this file or if you know how to solve winlogon.exe application errors.


File safety :

File security rating :

Are you human? How much is 5+29:


Like this page?

Please support this free service by giving us a Google+1


Browse files by letter

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

More system processes

winlogon32.exe winlogons.exe winlogonsys.exe
winlogon-xpsp2.exe WinLogoutNotifier.dll winlogqn.exe
winlogt.exe Winlp62.sys winlpr.exe
winlpsrr.exe WinMail.exe WINMAILTRAYICON.EXE

Lansweeper computer inventory From the creator of Runscanner:

Lansweeper
is an automated IT asset management tool. It can quickly scan your computers and has over 250 default reports available.

There is no need to install any agents on the scanned computers, all hardware and software inventory scanning is done by standard build-in functionality.