File description |
Winlogon.exe with description winlogon.exe is a process file from company Microsoft Corporation belonging to product Betriebssystem Microsoft® Windows®.
The file is
digitally signed from ESET, spol. s r.o. - Symantec Time Stamping Services Signer - G3
We do not recommend removing digitally signed files from ESET, spol. s r.o.
What is winlogon.exe?
Winlogon.exe is the part of the Windows Login Subsystem. This process is responsible for handling the secure attention sequence (pressing Ctrl+Alt+Del before seeing the login box), loading user profiles, locking the system when a screensaver is running, and verifying the operating system's activation key. On Windows XP, it provides support functions for Graphical Idenitification and Authentication (GINA).
This process is a critical system process and is essential to the operation of the system. Due to the critical nature of the process, it is not possible to terminate the process via the task manager. Disabling it otherwise will prevent you from logging in. The screenshot below illustrates how this process should appear in the task manager:
As you can see in the above screenshot, winlogon.exe always runs as SYSTEM. A process with this name running as a different user is a strong indicator of a malware infection.
Dangers of winlogon
As this is a critical system process that runs on every Windows NT-based (2000, XP, Vista) machine, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.
Some malicious files will have the same name but will be stored somewhere other than in %SystemRoot%\System32. Other malware will use a name that appears similar to that of the legitimate one but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as winlogon.exe:
- W32.Netsky.D (%SystemRoot%)
- Netsky is a mass-mailing worm that sends itself to any address it can find.
- Backdoor.Win32.SdBot.ada (%SystemRoot%\winlogon.pif)
- This is an IRC backdoor Trojan which allows a remote attacker to control your system
- Troj/Madr-B (%SystemRoot%\System32\wins, %SystemRoot%\System)
- This is an IRC backdoor Trojan which connects to an IRC server to receive commands from a remote attacker.
There will always be exactly one instance of this process running at any given time. The presence of multiple instances is a strong indicator of a malware infection.
Common problems
- Winlogon.exe error on boot
- This can be caused by a malware infection, such as the Vundo Trojan.
- Blue Screen of Death "STOP 0xC000021A" citing winlogon.exe as the problem
- This is caused when something is wrong with your winlogon.exe file. This can happen if you have mismatched system files, a service pack installation failed, a backup was restored incorrectly, or an incompatible program was installed.
- If your system files are damaged, do a repair installation of Windows.
- This process uses 100% CPU time
- This can be caused a variety of problems. Try uninstalling any security software (anti-virus, firewall, anti-spyware) that you may have.
- Try disabling your COM port (there is a known problem with the NetMos PCI Serial Port and winlogon.exe).
- If there is a domain controller on your network, ensure that your network settings are such that your system can see it.
|
Automatic startup locations |
 |
001 Running Processes |
 |
002 Autorun registry entries local machine |
|
003 Autorun registry entries Current User |
 |
004 All users startup startmenu |
|
005 Current user startup startmenu |
|
007 Roaming Start Menu\Programs\Startup |
|
008 Autorun registry entries Default user |
|
009 Autorun registry entries SYSTEM user |
 |
010 Installed services |
|
012 Autorun registry entries S-1-5-XX users |
 |
033 Winlogon Userinit |
|
034 Winlogon Shell |
|
035 Active Setup Installed Components |
|
038 Winlogon Taskman |
|
063 BootExecute |
|
065 Image File Execution Options (debugger) |
|
073 %windir%\Tasks |
|
136 Local Machine Runonce (+subkeys) |
|
139 Windows\load |
|
140 Windows\run |
|
146 AlternateShell |
|
166 HKCU Policies\Explorer\Run |
|
167 HKLM Policies\Explorer\Run |
|
191 Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run |
|
Digital signatures found for this file |
| |
Signer of certificate |
Issuer of certificate |
 |
ESET, spol. s r.o. |
Symantec Time Stamping Services Signer - G3 |
|
Kaspersky Lab |
VeriSign Time Stamping Services Signer - G2 |
|
Microsoft Corporation |
Microsoft Timestamping Service |
|
Microsoft Corporation |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows |
Microsoft Time-Stamp Service |
|
Microsoft Windows |
Microsoft Timestamping Service |
|
Microsoft Windows |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows 2000 Publisher |
NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc. |
|
Microsoft Windows 2000 Publisher |
VeriSign Time Stamping Service |
|
Microsoft Windows 2000 Publisher |
VeriSign Time Stamping Service CA SW1 |
|
Microsoft Windows 2000 Publisher |
VeriSign Time Stamping Services Signer |
|
Microsoft Windows 2000 Publisher (Europe) |
VeriSign Time Stamping Service |
|
Microsoft Windows 2000 Publisher (Europe) |
VeriSign Time Stamping Service CA SW1 |
|
Microsoft Windows Component Publisher |
Microsoft Time-Stamp Service |
|
Microsoft Windows Component Publisher |
Microsoft Timestamping Service |
|
|
MD5 security rating in our database |
 |
 |
|
802 |
files (Not yet rated
and
not
signed) |
|
|
3 |
files (Not yet rated
and
digitally
signed) |
 |
|
16 |
files (Safe
and
not
signed) |
|
|
445 |
files (Safe
and
digitally
signed) |
|
|
|
Some versions of this filename have not yet been checked for safety.
|
| Warning: Some malware might rename itself to winlogon.exe. Always make sure that your file is from a verified publisher. |
|
Application errors |
|
| User comments. |
There are no comments yet.
 |
Fromt the creator of Runscanner:
Lansweeper is an automated asset management tool. It can quickly scan your computers and has over 200 default reports available.
There is no need to install any agents on the scanned computers, all hardware and software inventory scanning is done by standard build-in functionality. |
|
|
Database statistics
Top process list
