I have multiple versions of winlogon.exe on my computer. When I boot up, I
have configured my system to run and display Task Manager so I can see what’s
up. I have noticed that the winlogon.exe takes up a substantial portion of
memory, and I don’t know why, if Windows XP Home SP2 has already loaded AND
when I have not asked MSN to load, why would this file launch? Is it related to
the operating system or MSN or MSN Messenger? Can I delete the versions of
winlogon.exe that are dated 2002 and have earlier version numbers?
Winlogon.exe is expected and a copy should be running. What you mean by “a
substantial portion” of memory will depend on a lot of things.
And there are likely to be several copies; I have four, myself.
Let’s review winlogon.exe, what’s worth being concerned about, and what all
those copies might be.
Become a Patron of Ask Leo! and go ad-free!
The short version is that winlogon.exe is the process that handles your
logging in to Windows. When you click on a user name after boot up, or enter a
user name and password, that’s winlogon handling the job. It also handles
logging off and a number of other things, but you get the idea; its name
actually does a good job of identifying its primary function.
Now, because it’s always present, the name “winlogon.exe” is a favorite
target for misuse by malware authors. By distributing their bogus programs with
a name of winlogon.exe things appear “normal” when the casual observer looks at
a process list using task manager.
Now some folks will tell you that if you see a winlogon.exe
anywhere other than c:\windows\system32, that the other copy is a
virus. Not true. Given the way that Windows Update works, and the way that
Windows File Protection works there may in fact be several copies of
winlogon.exe that are perfectly valid, and possibly not even the same
logging in to Windows.”
For example, here’s what’s on my Windows XP Pro machine:
C:\WINDOWS\SYSTEM32\winlogon.exe: 502,272 bytes dated
2004-08-04 00:56:58. This is the “real” version of winlogon.exe that’s actually
running on my machine.
C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe: also 502,272
bytes and also dated 2004-08-04 00:56:58. This is the copy used by Windows File
Protection – should the “real” winlogon.exe in SYSTEM32, above, become corrupt
or be overwritten by another, WFP will replace it with this master backup copy.
(Should this backup copy become corrupt or disappear, I believe that WFP will
then ask for the installation CD instead.)
502,272 bytes and still dated 2004-08-04 00:56:58. This is more-or-less the
equivalent of the C:\I386 folder, which typically contains a copy of the files
from your installation CD, except that this is a copy of the files which were
updated in Service Pack 2. I believe it’s used by WFP if the DLL Cache doesn’t
work for some reason. ServicePackFiles\i386 is also used (like C:\I386) if new
components are installed that require additional operating system files that
weren’t already installed.
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe: this time
we see a size of 516,608 bytes and a date of 2002-08-29 03:00:00. This is the
version of winlogon.exe that was replaced by Service Pack 2, and which is
preserved in case SP2 is ever uninstalled.
C:\I386\winlogon.exe: ok, this isn’t on my machine because
I moved my C:\I386 directory to another location on my network, but you may
well find it here.
All of those are valid, and their presence does not indicate that you have
However, if you find winlogon.exe anywhere else on your machine … well,
then perhaps it’s time for a little concern followed by an up-to-date virus
To examine what’s running on your machine, I’d recommend using Process Explorer rather than Task Manager. We
can get a little more information out of procexp.
With Process Explorer running, just hovering over the line for winlogon.exe
will show perhaps the most interesting bit of information of all:
As you can see the popup tool tip shows that this instance is running from
the copy of winlogon.exe in C:\WINDOWS\SYSTEM32. In other words, it’s running
the copy that we expect it too. If not, then it’s time for that up-to-date
Right click on winlogon.exe in Process Explorer and select
Properties and you’ll get the same information and some more
Click on the Performance tab and you’ll get some
information about winlogon’s resource utilization:
Most interesting might be the Virtual Size (199,168 K on my machine, or
around 200 megabytes), and the Working Set (22,516 K). This is a real example
and I’d expect them to be pretty normal and representative numbers.
So, what if your numbers are way off from that? Or what if your
legitimate instance of winlogon.exe in C:\Windows\System32 is eating up all
your CPU? Turns out there are several different potential causes. Searching
Microsoft’s support site for
winlogon.exe returns several articles describing several
different scenarios. They’re rare, but if you’ve determined that you’re not
fighting a malware infection, they’re the next place I’d look for what to do