I have multiple winlogon.exe files on my machine, and one's taking up a lot of memory - what do I do?
Helping people with computers... one answer at a time.
It's quite possible to have more than one winlogon.exe, but knowing which are good and which are suspect isn't always clear.
I have multiple versions of winlogon.exe on my computer. When I boot up, I have configured my system to run and display Task Manager so I can see what's up. I have noticed that the winlogon.exe takes up a substantial portion of memory, and I don't know why, if Windows XP Home SP2 has already loaded AND when I have not asked MSN to load, why would this file launch? Is it related to the operating system or MSN or MSN Messenger? Can I delete the versions of winlogon.exe that are dated 2002 and have earlier version numbers?
•
Winlogon.exe is expected and a copy should be running. What you mean by "a substantial portion" of memory will depend on a lot of things.
And there are likely to be several copies; I have four, myself.
Let's review winlogon.exe, what's worth being concerned about, and what all those copies might be.
•
The short version is that winlogon.exe is the process that handles your logging in to Windows. When you click on a user name after boot up, or enter a user name and password, that's winlogon handling the job. It also handles logging off and a number of other things, but you get the idea; its name actually does a good job of identifying its primary function.
Now, because it's always present, the name "winlogon.exe" is a favorite target for misuse by malware authors. By distributing their bogus programs with a name of winlogon.exe things appear "normal" when the casual observer looks at a process list using task manager.
Now some folks will tell you that if you see a winlogon.exe anywhere other than c:\windows\system32, that the other copy is a virus. Not true. Given the way that Windows Update works, and the way that Windows File Protection works there may in fact be several copies of winlogon.exe that are perfectly valid, and possibly not even the same version.
For example, here's what's on my Windows XP Pro machine:
-
C:\WINDOWS\SYSTEM32\winlogon.exe: 502,272 bytes dated 2004-08-04 00:56:58. This is the "real" version of winlogon.exe that's actually running on my machine.
-
C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe: also 502,272 bytes and also dated 2004-08-04 00:56:58. This is the copy used by Windows File Protection - should the "real" winlogon.exe in SYSTEM32, above, become corrupt or be overwritten by another, WFP will replace it with this master backup copy. (Should this backup copy become corrupt or disappear, I believe that WFP will then ask for the installation CD instead.)
-
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe: still 502,272 bytes and still dated 2004-08-04 00:56:58. This is more-or-less the equivalent of the C:\I386 folder, which typically contains a copy of the files from your installation CD, except that this is a copy of the files which were updated in Service Pack 2. I believe it's used by WFP if the DLL Cache doesn't work for some reason. ServicePackFiles\i386 is also used (like C:\I386) if new components are installed that require additional operating system files that weren't already installed.
-
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe: this time we see a size of 516,608 bytes and a date of 2002-08-29 03:00:00. This is the version of winlogon.exe that was replaced by Service Pack 2, and which is preserved in case SP2 is ever uninstalled.
-
C:\I386\winlogon.exe: ok, this isn't on my machine because I moved my C:\I386 directory to another location on my network, but you may well find it here.
All of those are valid, and their presence does not indicate that you have malware.
However, if you find winlogon.exe anywhere else on your machine ... well, then perhaps it's time for a little concern followed by an up-to-date virus scan.
•
To examine what's running on your machine, I'd recommend using Process Explorer rather than Task Manager. We can get a little more information out of procexp.
With Process Explorer running, just hovering over the line for winlogon.exe will show perhaps the most interesting bit of information of all:
As you can see the popup tool tip shows that this instance is running from the copy of winlogon.exe in C:\WINDOWS\SYSTEM32. In other words, it's running the copy that we expect it too. If not, then it's time for that up-to-date virus scan.
Right click on winlogon.exe in Process Explorer and select Properties and you'll get the same information and some more details:
Click on the Performance tab and you'll get some information about winlogon's resource utilization:
Most interesting might be the Virtual Size (199,168 K on my machine, or around 200 megabytes), and the Working Set (22,516 K). This is a real example and I'd expect them to be pretty normal and representative numbers.
So, what if your numbers are way off from that? Or what if your legitimate instance of winlogon.exe in C:\Windows\System32 is eating up all your CPU? Turns out there are several different potential causes. Searching Microsoft's support site for winlogon.exe returns several articles describing several different scenarios. They're rare, but if you've determined that you're not fighting a malware infection, they're the next place I'd look for what to do next.
Article C3110 - August 7, 2007
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
I have downloaded Process Explorer. When I follow your directions to hover over winlogon.exe, the hover box reads "winlogon.exe"
Posted by: NKelly at January 22, 2010 9:22 AMWhen I right click and go to Properties, The Image tab and the Performance tab are nothing similar to what you have posted. The Image tab does not show the same image, the version is "n/a" as well as the time is "n/a" and the path is "not available." the Command line is blank andthe currecnt directory is blank. The Parent says "non-existant process (632)" and the user says "access denied."
Whne I click on the Performace tab, everything is at "n/a."
I have McAfee, a paid version of Super Anti-Spyware and unpaid Spybot SD Resident. All have been run and updated. I am using Vista on a Dell computer.
When I look at the Windows Task Manager (which is where I started before I downloaded Process Explorer), the Image Name is winlogon.exe but shows no user name, no cpu, 692K of memory and no description.
Is this a virus or someone hacking into my computer through a wireless connection (even possibly my roommate who uses the same wireless connection and set up my wireless router)?
Please help and I appreciate your time and response.
If you are seeing winlogon86 on your computer, you have a virus. If you go to task manager and click on processes you will see which winlogon you have installed. It will delete your desktop, freeze your computer, make it almost impossible to get onto the internet. Be careful not to delete winlogon that does not have any additional numbers or words. I would google anything before removing it from your system.
Posted by: Rose at February 3, 2010 3:53 PMI have the same problem as NKelly, what should I do?
Posted by: Chris at January 6, 2011 6:29 PMThe instruction at '0x76c6a921' referenced memory at '0xe3aac18'. The memory could not be 'read'.
Click OK to terminate the program
Click CANCEL to debug the program.
When I clicked OK, it rebooted my system.
Posted by: ihsan at May 30, 2011 10:24 PM"please help me in this problem"
I have heard that if you have 2 winlogon.exe (that is with no extra numbers or words in it) in your task manager might mean you have been keylogged.But do not try to delete any of them because if you delete the wrong one your PC will not work anymore.Also, if winlogon.exe is not a file from the Microsoft Corporation than it is most likely a type of malware.
Posted by: Help at September 14, 2011 7:46 AM