|
Home »
Windows
» Windows Components
Summary: It's quite possible to have more than one winlogon.exe, but knowing which are good and which are suspect isn't always clear.
Winlogon.exe is expected and a copy should be running. What you mean by "a substantial portion" of memory will depend on a lot of things. And there are likely to be several copies; I have four, myself. Let's review winlogon.exe, what's worth being concerned about, and what all those copies might be. • The short version is that winlogon.exe is the process that handles your logging in to Windows. When you click on a user name after boot up, or enter a user name and password, that's winlogon handling the job. It also handles logging off and a number of other things, but you get the idea; its name actually does a good job of identifying its primary function. Now, because it's always present, the name "winlogon.exe" is a favorite target for misuse by malware authors. By distributing their bogus programs with a name of winlogon.exe things appear "normal" when the casual observer looks at a process list using task manager. Now some folks will tell you that if you see a winlogon.exe anywhere other than c:\windows\system32, that the other copy is a virus. Not true. Given the way that Windows Update works, and the way that Windows File Protection works there may in fact be several copies of winlogon.exe that are perfectly valid, and possibly not even the same version. "... winlogon.exe is the process that handles your
logging in to Windows."
For example, here's what's on my Windows XP Pro machine:
All of those are valid, and their presence does not indicate that you have malware. However, if you find winlogon.exe anywhere else on your machine ... well, then perhaps it's time for a little concern followed by an up-to-date virus scan. • To examine what's running on your machine, I'd recommend using Process Explorer rather than Task Manager. We can get a little more information out of procexp. With Process Explorer running, just hovering over the line for winlogon.exe will show perhaps the most interesting bit of information of all:
As you can see the popup tool tip shows that this instance is running from the copy of winlogon.exe in C:\WINDOWS\SYSTEM32. In other words, it's running the copy that we expect it too. If not, then it's time for that up-to-date virus scan. Right click on winlogon.exe in Process Explorer and select Properties and you'll get the same information and some more details:
Click on the Performance tab and you'll get some information about winlogon's resource utilization:
Most interesting might be the Virtual Size (199,168 K on my machine, or around 200 megabytes), and the Working Set (22,516 K). This is a real example and I'd expect them to be pretty normal and representative numbers. So, what if your numbers are way off from that? Or what if your legitimate instance of winlogon.exe in C:\Windows\System32 is eating up all your CPU? Turns out there are several different potential causes. Searching Microsoft's support site for winlogon.exe returns several articles describing several different scenarios. They're rare, but if you've determined that you're not fighting a malware infection, they're the next place I'd look for what to do next. Related:
• Recent Comments
Great help!! Thanks!! Posted by: Ton Walter ZermeƱo at November 27, 2007 10:12 PMmy system32 winlogon is around 300,000 bytes -----BEGIN PGP SIGNED MESSAGE----- I'm not sure that it means anything. Leo
iD8DBQFHucOYCMEe9B/8oqERApLiAJ9mwV9OpiE4WzkpHVjmA2KcamJ2JACePWWx This is great. I am techno-baffled at teh best of times and my XP system is a mystery. Recently, I've slowed right down (and so has my computer:)). More recently, I noticed in Task Manager that this file is eating up 97% of CPU, almost always! Thanks to "googleing" based on my suspicions and your article which came up on search, I "searched through my computer to find 5 files on my C: and 1 temporary internet file with this file listed. I am not sure if I'll figure the whole thing out, but I feel like I am pointed in the right direction and armed with some useful information! Thank you VERY much for taking some of the panic away. Posted by: Toby Toth at May 5, 2008 01:08 PMthe process viewer works great :) but remember this there isnt and never will be a winlogon.exe in the c:/windows folder so if you find it there its a renamed malware/virus, had this issue i booted to safe mode and renamed the file then restarded and delted the renamed file and now i only have 1 winlogon.exe in explorer hope that helps some ppl Posted by: Mike at May 11, 2008 07:21 PMHi, Post a comment on "I have multiple winlogon.exe files on my machine, and one's taking up a lot of memory - what do I do?":
|
Archives Advertisers |
|