TechSpot

Winlogon.exe running 50% CPU

By billyellis
Mar 3, 2008
  1. Hi,

    I am curently experiencing an issue where winlogon.exe is running 50% of my CPU constantly - it is not fluctuating at all.

    When I logged in today, I entered my login info and my wallpaper flashed briefly before returning to the login screen. When I logged in again it worked normally.

    Now my virus-scan is warning me of changes to my shell32 and hosts files (attached), and I have not run WindowsUpdate today. There also are "Generic9.BGEU" trojans in a couple of archives. Lastly, streaming video is having a lot of problems, possibly because of the CPU hogging by "winlogon" but I thought I would mention it for completeness' sake.

    Are there any new viruses, etc. out that are related to winlogon.exe? When I "logged in" twice, did I inadvertently provide a hacker with my logon info??

    Can I manually stop winlogon.exe and have it run normally upon reboot?
     
  2. kritius

    kritius TS Guru Posts: 2,084

    It depends where the winlogon.exe is running, if its from the Msconfig/Startup its ok, if its elsewhere then I would say malware.

    It could be the NEVEG.A WORM

    Check to see if there is anything like this in the registry,

    1. Click Start > Run.
    2. Type regedit

    Then click OK.

    3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, check to see if any of the follow values are present:

    ".Prog" = "%Windir%\system\winlogon.exe"
    "BuildLab" = "%Windir%\system\winlogon.exe"
    "ccApps" = "%Windir%\system\winlogon.exe"
    "FriendlyTypeName" = "%Windir%\system\winlogon.exe"
    "Microsoft Visual SourceSafe"= "%Windir%\system\winlogon.exe"
    "RegDone" = "%Windir%\system\winlogon.exe"
    "TEXTCONV" = "%Windir%\system\winlogon.exe"
    "WMAudio" = "%Windir%\system\winlogon.exe"

    if they are i would get rid of them.

    5. Exit the Registry Editor.
     
  3. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    None of those entries is there. (yay)

    But I'm still a little spooked by the strange combination of
    1. double logon with a never seen before 'partial' logon and then apparent kickout
    2. strange behavior from startup program controlling logon
    3. red flags from virus scanner
    :(

    So if anyone hears anything about new security issues masquerading as winlogon to steal logon info, please add a note to this thread.:suspiciou
     
  4. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    Update:

    I just noticed an access denial that I have not seen before (attached). I am logged on as the Administrator, but I am being denied access to AllUsers/Documents.

    I recently set up a home network, which is currently disabled. Could this denial simply be because another known network computer is disconnected? I would think that the "AllUsers" section for this computer would refer exclusively to users on this computer...
     

    Attached Files:

  5. kritius

    kritius TS Guru Posts: 2,084

    I think that you would be better off following the advice HERE.

    If only to gain piece of mind.
     
  6. JRudi

    JRudi TS Rookie

    Winlogon.exe Solution

    I had this same problem. The CPU utilization was at 50% with no programs running. winlogon was showing 50% CPU usage all the time.

    I resolved this problem by installing XP service pack 3, per a microsoft kb article - /946480, which states it fixes a memory leak in winlogon.exe.

    Hope this helps someone else.

    Judi
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...