I have multiple versions of winlogon.exe on my computer. When I boot up, I
have configured my system to run and display Task Manager so I can see whatâs
up. I have noticed that the winlogon.exe takes up a substantial portion of
memory, and I donât know why, if Windows XP Home SP2 has already loaded AND
when I have not asked MSN to load, why would this file launch? Is it related to
the operating system or MSN or MSN Messenger? Can I delete the versions of
winlogon.exe that are dated 2002 and have earlier version numbers?
Winlogon.exe is expected and a copy should be running. What you mean by âa
substantial portionâ of memory will depend on a lot of things.
And there are likely to be several copies; I have four, myself.
Letâs review winlogon.exe, whatâs worth being concerned about, and what all
those copies might be.
Become a Patron of Ask Leo! and go ad-free!
The short version is that winlogon.exe is the process that handles your
logging in to Windows. When you click on a user name after boot up, or enter a
user name and password, thatâs winlogon handling the job. It also handles
logging off and a number of other things, but you get the idea; its name
actually does a good job of identifying its primary function.
Now, because itâs always present, the name âwinlogon.exeâ is a favorite
target for misuse by malware authors. By distributing their bogus programs with
a name of winlogon.exe things appear ânormalâ when the casual observer looks at
a process list using task manager.
Now some folks will tell you that if you see a winlogon.exe
anywhere other than c:\windows\system32, that the other copy is a
virus. Not true. Given the way that Windows Update works, and the way that
Windows File Protection works there may in fact be several copies of
winlogon.exe that are perfectly valid, and possibly not even the same
version.
logging in to Windows.â
For example, hereâs whatâs on my Windows XP Pro machine:
-
C:\WINDOWS\SYSTEM32\winlogon.exe: 502,272 bytes dated
2004-08-04 00:56:58. This is the ârealâ version of winlogon.exe thatâs actually
running on my machine. -
C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe: also 502,272
bytes and also dated 2004-08-04 00:56:58. This is the copy used by Windows File
Protection â should the ârealâ winlogon.exe in SYSTEM32, above, become corrupt
or be overwritten by another, WFP will replace it with this master backup copy.
(Should this backup copy become corrupt or disappear, I believe that WFP will
then ask for the installation CD instead.) -
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe: still
502,272 bytes and still dated 2004-08-04 00:56:58. This is more-or-less the
equivalent of the C:\I386 folder, which typically contains a copy of the files
from your installation CD, except that this is a copy of the files which were
updated in Service Pack 2. I believe itâs used by WFP if the DLL Cache doesnât
work for some reason. ServicePackFiles\i386 is also used (like C:\I386) if new
components are installed that require additional operating system files that
werenât already installed. -
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe: this time
we see a size of 516,608 bytes and a date of 2002-08-29 03:00:00. This is the
version of winlogon.exe that was replaced by Service Pack 2, and which is
preserved in case SP2 is ever uninstalled. -
C:\I386\winlogon.exe: ok, this isnât on my machine because
I moved my C:\I386 directory to another location on my network, but you may
well find it here.
All of those are valid, and their presence does not indicate that you have
malware.
However, if you find winlogon.exe anywhere else on your machine ⊠well,
then perhaps itâs time for a little concern followed by an up-to-date virus
scan.
âą
To examine whatâs running on your machine, Iâd recommend using Process Explorer rather than Task Manager. We
can get a little more information out of procexp.
With Process Explorer running, just hovering over the line for winlogon.exe
will show perhaps the most interesting bit of information of all:
As you can see the popup tool tip shows that this instance is running from
the copy of winlogon.exe in C:\WINDOWS\SYSTEM32. In other words, itâs running
the copy that we expect it too. If not, then itâs time for that up-to-date
virus scan.
Right click on winlogon.exe in Process Explorer and select
Properties and youâll get the same information and some more
details:
Click on the Performance tab and youâll get some
information about winlogonâs resource utilization:
Most interesting might be the Virtual Size (199,168 K on my machine, or
around 200 megabytes), and the Working Set (22,516 K). This is a real example
and Iâd expect them to be pretty normal and representative numbers.
So, what if your numbers are way off from that? Or what if your
legitimate instance of winlogon.exe in C:\Windows\System32 is eating up all
your CPU? Turns out there are several different potential causes. Searching
Microsoftâs support site for
winlogon.exe returns several articles describing several
different scenarios. Theyâre rare, but if youâve determined that youâre not
fighting a malware infection, theyâre the next place Iâd look for what to do
next.
my system32 winlogon is around 300,000 bytes
what does this mean ? :s
ââBEGIN PGP SIGNED MESSAGEââ
Hash: SHA1
Iâm not sure that it means anything.
Leo
ââBEGIN PGP SIGNATUREââ
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHucOYCMEe9B/8oqERApLiAJ9mwV9OpiE4WzkpHVjmA2KcamJ2JACePWWx
Y5YtLrNjImWeA2efWLAxuTo=
=xYRo
ââEND PGP SIGNATUREââ
This is great. I am techno-baffled at teh best of times and my XP system is a mystery. Recently, Iâve slowed right down (and so has my computer:)). More recently, I noticed in Task Manager that this file is eating up 97% of CPU, almost always! Thanks to âgoogleingâ based on my suspicions and your article which came up on search, I âsearched through my computer to find 5 files on my C: and 1 temporary internet file with this file listed. I am not sure if Iâll figure the whole thing out, but I feel like I am pointed in the right direction and armed with some useful information!
Thank you VERY much for taking some of the panic away.
the process viewer works great :) but remember this there isnt and never will be a winlogon.exe in the c:/windows folder so if you find it there its a renamed malware/virus, had this issue i booted to safe mode and renamed the file then restarded and delted the renamed file and now i only have 1 winlogon.exe in explorer hope that helps some ppl
Hi,
You say that you have 4 winlogon.exe files but i have one directly under âC:/â. Does this mean that any other winlogon.exe files are malware??
This article was the most helpful of any I found. Some of my winlogon.exe files did not match your specs (different size & date) which is probably the problem. I copied the \i386 file which was the same and replaced the one in \system32. So far this has helped.
WARNING! Do not attempt to restart your computer without winlogon.exe in \system32 file. You will get a visit from the BLUE SCREEN OF DEATH!
âThanks for your help, Leo!
I have a copy of winlogon.exe in my Root Directory of WINDOWS. Not in System32 or System
everytime i turn on my computer and winlogon.exe come up and i hit ok or cancel my computer turn off by itselfâŠ.. what to do to prevent that and install my anti-virus
thank you
Johnny
hi i just had an error.. a pop up came saying winlogon had an issueâŠ.
that happened after 5 times i turned on/off my pc to enter windows i was scared idk if that will keep happening⊠when i turned my pc on it got stucked on the very first black screen where it checks the devices (hard drives and dvds) ⊠it just didnt showed anything like if it didnt found the hard drives and dvds⊠so thats when i turned off/on again like 5 times until it finally found the hard drive and dvds and started windowsâŠ
weird im a little scared.. after that when windows started it came the winlogon.exe error..
what should i do?
i already checked my winlogon.exe files i just got 2 and are under the descriptions avobe so i guess its not malware/virusâŠ
Hi,
I have been struggling with this winlogon.exe for last 2 weeks. It is always seen using upwards of 90% of the CPU time. One thing I noticed is that one of the process it is running as an user (there are 2 of them). I found this through process explorer and then killed the running under my user name. The system seem to have improved after that. Do I do it right? If yes, what should I be doing to remove this from my PC forever?
Regards
This is not always true.I had to manually remove a virus by the name of winlogon.exe from my cousins computer.I found it in the system 32 folder in in multiple instances and the icon looked like a moon hanging in church stain glass as well as the registry.It was keeping explorer.exe from running at start up so I would have to open the task manager and manually start
I have downloaded Process Explorer. When I follow your directions to hover over winlogon.exe, the hover box reads âwinlogon.exeâ
When I right click and go to Properties, The Image tab and the Performance tab are nothing similar to what you have posted. The Image tab does not show the same image, the version is ân/aâ as well as the time is ân/aâ and the path is ânot available.â the Command line is blank andthe currecnt directory is blank. The Parent says ânon-existant process (632)â and the user says âaccess denied.â
Whne I click on the Performace tab, everything is at ân/a.â
I have McAfee, a paid version of Super Anti-Spyware and unpaid Spybot SD Resident. All have been run and updated. I am using Vista on a Dell computer.
When I look at the Windows Task Manager (which is where I started before I downloaded Process Explorer), the Image Name is winlogon.exe but shows no user name, no cpu, 692K of memory and no description.
Is this a virus or someone hacking into my computer through a wireless connection (even possibly my roommate who uses the same wireless connection and set up my wireless router)?
Please help and I appreciate your time and response.
If you are seeing winlogon86 on your computer, you have a virus. If you go to task manager and click on processes you will see which winlogon you have installed. It will delete your desktop, freeze your computer, make it almost impossible to get onto the internet. Be careful not to delete winlogon that does not have any additional numbers or words. I would google anything before removing it from your system.
I have the same problem as NKelly, what should I do?
The instruction at â0x76c6a921â referenced memory at â0xe3aac18â. The memory could not be âreadâ.
Click OK to terminate the program
Click CANCEL to debug the program.
When I clicked OK, it rebooted my system.
âplease help me in this problemâ
I have heard that if you have 2 winlogon.exe (that is with no extra numbers or words in it) in your task manager might mean you have been keylogged.But do not try to delete any of them because if you delete the wrong one your PC will not work anymore.Also, if winlogon.exe is not a file from the Microsoft Corporation than it is most likely a type of malware.