Winlogon.exe running 50% CPU

By billyellis
Mar 3, 2008
  1. Hi,

    I am curently experiencing an issue where winlogon.exe is running 50% of my CPU constantly - it is not fluctuating at all.

    When I logged in today, I entered my login info and my wallpaper flashed briefly before returning to the login screen. When I logged in again it worked normally.

    Now my virus-scan is warning me of changes to my shell32 and hosts files (attached), and I have not run WindowsUpdate today. There also are "Generic9.BGEU" trojans in a couple of archives. Lastly, streaming video is having a lot of problems, possibly because of the CPU hogging by "winlogon" but I thought I would mention it for completeness' sake.

    Are there any new viruses, etc. out that are related to winlogon.exe? When I "logged in" twice, did I inadvertently provide a hacker with my logon info??

    Can I manually stop winlogon.exe and have it run normally upon reboot?
  2. kritius

    kritius TS Guru Posts: 2,084

    It depends where the winlogon.exe is running, if its from the Msconfig/Startup its ok, if its elsewhere then I would say malware.

    It could be the NEVEG.A WORM

    Check to see if there is anything like this in the registry,

    1. Click Start > Run.
    2. Type regedit

    Then click OK.

    3. Navigate to the key:


    4. In the right pane, check to see if any of the follow values are present:

    ".Prog" = "%Windir%\system\winlogon.exe"
    "BuildLab" = "%Windir%\system\winlogon.exe"
    "ccApps" = "%Windir%\system\winlogon.exe"
    "FriendlyTypeName" = "%Windir%\system\winlogon.exe"
    "Microsoft Visual SourceSafe"= "%Windir%\system\winlogon.exe"
    "RegDone" = "%Windir%\system\winlogon.exe"
    "TEXTCONV" = "%Windir%\system\winlogon.exe"
    "WMAudio" = "%Windir%\system\winlogon.exe"

    if they are i would get rid of them.

    5. Exit the Registry Editor.
  3. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    None of those entries is there. (yay)

    But I'm still a little spooked by the strange combination of
    1. double logon with a never seen before 'partial' logon and then apparent kickout
    2. strange behavior from startup program controlling logon
    3. red flags from virus scanner

    So if anyone hears anything about new security issues masquerading as winlogon to steal logon info, please add a note to this thread.:suspiciou
  4. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155


    I just noticed an access denial that I have not seen before (attached). I am logged on as the Administrator, but I am being denied access to AllUsers/Documents.

    I recently set up a home network, which is currently disabled. Could this denial simply be because another known network computer is disconnected? I would think that the "AllUsers" section for this computer would refer exclusively to users on this computer...

    Attached Files:

  5. kritius

    kritius TS Guru Posts: 2,084

    I think that you would be better off following the advice HERE.

    If only to gain piece of mind.
  6. JRudi

    JRudi TS Rookie

    Winlogon.exe Solution

    I had this same problem. The CPU utilization was at 50% with no programs running. winlogon was showing 50% CPU usage all the time.

    I resolved this problem by installing XP service pack 3, per a microsoft kb article - /946480, which states it fixes a memory leak in winlogon.exe.

    Hope this helps someone else.

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...