Solved

Winlogon.exe sits at 50% cpu

Posted on 2006-06-12
46
11,475 Views
Last Modified: 2010-08-05
After googling and other troubleshooting methods, i need some other opinions on this situation.

Running dell optiplex pentium4 with 1 gig of memory.
OS is xp sp2 with all the latest hotfixes.

The workstation (mine) was fine on friday when I left, but when I came in this morning I noticed that IE had the IE enhanced security enabled on it. I didn't install the enchanced security settings either.  In IE on the security tab for the "internet" it is set to "high" and that is the only option now.

Another thing is my "winlogon.exe" process is taking 50-51% cpu usage in task manager.  I have viewed this in other process exploreres and it shows 4 instances of "winlogon.exe" is running, but in the windows task manager it shows only one.

I have already ran all of your normal spyware, virus protection programs which include hijackthis, spybot, adaware, windows defender, trend micro, mcafee, panda, bitdefender.  No viruses were found and only a few things were found for spyware/malware which looked like the normal entries I find all the time I scan.

My question is if it's not a virus/spyware then why/how/what made my IE settings be hardended over the weekend and the winlogon.exe process stay at 50%?

My main concern right now is the winlogon.exe process taking that much cpu usage at all times.

regards,

kshays
0
Comment
Question by:kshays
  • 19
  • 9
  • 7
  • +6
46 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16890572
Where are these winlogon processes running from?

For comparison, my winlogon.exe file is 491 KB in size dated 8/4/2004 and resides in the c:\windows\system32 folder.

If you have winlogon running from other location that might indicate a problem.
0
 
LVL 16

Author Comment

by:kshays
ID: 16890609
Exactly like you stated :(

No other instances of winlogon are on my system.

regards,

kshays
0
 
LVL 32

Expert Comment

by:r-k
ID: 16890639
Try disabling the AV software that is currently installed, and see if that makes a difference.
0
 
LVL 16

Author Comment

by:kshays
ID: 16890684
Tried that as well.  Even went into safe mode and ran the apps from that perspective as well.
Here is a list off the top of my head that i've done already.

- checked to make sure no other instances of "winlogon.exe" is on my system.
- ran all usual spyware/malware/antivirus programs in normal and safe mode.
- killed smss.exe and lsass.exe then tried to kill winlogon.exe (winlogon.exe was not able to be killed).  Actually it said it was, but it never went away.  I was using, hmm, process explorer I think from sysinternals.
- check registry entries in the run section.  Nothing in there that shouldn't be.  Actually just one item and it was the ctfmon.
- hijackthis didn't show anything recent or unusual either.
- checked eventvwr logs.
- did notice that it looked like someone looged onto my system at 4:17 pm saturday though considering my pc was off friday night and was off again monday morning.  The log was the printer driver was not installed locally on the server and source computer was my stations name.  Only time I see that warning when I or someone else remote desktops to either an application server or I remote manage the servers.
- I do have a feeling that a former employee gained access to our network considering the router, dmz and local switches were configured the same way as when he(it manager) left a month or so ago, which this is NOT good at all.  The network was configured as follows (green, orange, red networks was all connected together and all authentication was coming in on the local (green network)!!!

There are other things i've done also, just can't really remember right now.  I've seen articles mentioned that it's possible it could be hardware related??  Not sure about that one, but I know I cannot boot from a cd anymore though.  Darn dell workstation cannot recognize it for some reason.  That's a whole other story i've battled today as well.

thanks,

kshays :)
0
 
LVL 32

Expert Comment

by:r-k
ID: 16890693
Seems like you've done a lot, but might want to try the following two:

(1) RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html

(2) Process Explorer from: http://www.sysinternals.com/Utilities/ProcessExplorer.html

 Process Explorer can sometimes give you an insight about what the process is doing in more detail. It's also quick to run so you might try that before RootkitRevealer.

Have to run but will check back in a couple hours.

Good luck.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16890729
Can we please look at your hijackthis log?
It would show there if there are culprits using the winlogon key.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
LVL 16

Author Comment

by:kshays
ID: 16890769
Yeah, that's the explorer that I used.  I noticed 4 winlog.exe programs running with the main one having the dependencies for it.  I was able to kill it after I killed 2 previous processes.  It didn't kill the other 3 though and I was unable to kill those.

Example:

Winlogon.exe
- services
- other
- others
Winlogon.exe
Winlogon.exe
crss.exe
explorer.exe
- winword.exe
- others

I'll download the rootkitrevealer and see what I can find with that one also.

PS:  I noticed with security explorer and the messages from winlogon.exe i'm getting a bunch of messages about low battery warnings and other warnings about the battery for some reason.

kshays
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16890795
You have "winlog.exe" running?
OK, that is Alcan/P2P Network worm, your hijackthis log should confirm it.

Anyway once confirmed, here is the fix, unless it comes with new variants this should fix it.

1. Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

2. Download Alcra PLUS Remover.
http://metallica.geekstogo.com/alcanshorty.bfu
Save it in the same folder you made earlier (c:\BFU) <-- Important

Reboot to Safe Mode.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows
0
 
LVL 16

Author Comment

by:kshays
ID: 16890835
DOH, i mispelled that, it's winlogon.exe, sorry :(

I'll most definately take a look into those also though.  I'm game right now ;)

kshays

PS:  i'll post the hijack log in a few minutes, taking a little longer to rd to my workstation from home, dang process is making it slow to access stuff!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16890855
No need to run those if you haven't got the Alcan worm,

Please let us look at your hijackthis log, I'm positive we can pinpoint the culprit if it show up there.
0
 
LVL 16

Author Comment

by:kshays
ID: 16890879
*nods*

Looks like i'll have to post my results tomorrow morning.  It appears that i'm going to physically reset my workstation at work :(

I'll post back if I can get access to it.

regards,

kshays
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16891204
0
 
LVL 32

Expert Comment

by:r-k
ID: 16891917
A hardware problem can't be ruled out, but Process Explorer can help there. If it is a hardware issue, you will see the item "Interrupts" using a large percentage of CPU time (in Process Explorer).

A rootkitrevealer log will be most interesting, esp. if there is a hidden driver (.sys) somewhere. I've seen a few cases where the only symptom was an unexplained usage of CPU in Task Manager.

You say you already  disabled the AV programs, that is the third reason I've seen for such a symptom.

(moh10ly: the link you cited has a description of a similar problem, but no solution. Did I miss something there?)


0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16892653
Yep true r-k, but I didn't finish my post as i have posted it to ask the questionire if he has any crashes when this occurs..!?

As I have read/seen in alot of other threads about the winlogon which is responsible for the log in/log out, registeration code and user settings, It also could be a virus "W32.Netsky.D" or a "Backdoor trojan" W32/Backdoor-CFB.

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html

The file by default is located on %windir%\System32...!

Also You have to check weather if the file name is WinLogon.exe OR WinIogon.exe By I not L, The file originaly is WinLogon.exe, If it was by I then you must delete it.

and regarding to the many files OF Winlogon.exe you should restart to command prompt mode and delete those files from windows and system32 Directory, In case you couldn't then you should do a repair install to replace those files.

OR goto Start --> Run --> type sfc /scannow and enter           "Insert XP CD and wait till it finish, restart your computer And check back".
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16893092
A lot of malware/viruses/trojans use the winlogon key just like vundo, look2me, blackworm, Universa, ULWindowSeek, ULWindowURL etc to avoid detection and hard removal.
That's where Hijackthis comes into the rescue which can give us the exact picture of the malware.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16893100
True rpggamegirl, and in this case i guess that you need to provide  kshays a link for Hijackthis with an explination on how to use with in pictures to make it easier on him..!

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16893154
Yeah, it's in my first post {http:#16890729}
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16893236
0
 
LVL 16

Author Comment

by:kshays
ID: 16894496
Ok, here is the link to the hijackthis.  I did notice a winlogon notify entry 020 in there now which wasn't before, but I guess that's probably because I reinstalled xp by just doing an upgrade on it only.

http://www.hijackthis.de/#anl
http://www.hijackthis.de/logfiles/2cdd58483d6175b178df16e76739b54f.html

I'm going to read the other comments now :)

thanks,

kshays
0
 
LVL 16

Author Comment

by:kshays
ID: 16894619
Ok, just got through reading all the other posts from last night that I missed.

With process explorer the hardware interrupts do not use any cpu at all.
- There is only 1 process for "winlogon.exe" now.
By the way the "rkilsrv.exe" is used by me.

going to run rootkitrevealer now.

kshays
0
 
LVL 32

Expert Comment

by:r-k
ID: 16894704
Nothing obviously bad in the HJT log, so most likely you don't have traditional malware.
0
 
LVL 16

Author Comment

by:kshays
ID: 16894727
Scan completed with no discrepenciens found with rootkitrevealer as well.

*ponder*

Yeah, that's what I thought as well from the HJT log.

regards,

kshays
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16894776
Do a repair installation..! or run the sfc /scannow command..!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 16

Author Comment

by:kshays
ID: 16894823
Already performed the repair installation, i'll try the sfc again to make sure.

regards,

kshays
0
 
LVL 32

Expert Comment

by:r-k
ID: 16895001
Does Process Explorer now show one copy, or four copies, of winlogon.exe?

Does the winlogon.exe cpu usage happen in safe mode also?

Anything interesting if you run "netstat -ab" from a command prompt?

If you login as a different username, does the problem go away?

0
 
LVL 16

Author Comment

by:kshays
ID: 16895176
- Ony shows 1 copy now of winlogon.exe
- Whether it's on the domain or local worsktation with different usernames it's the same.
- Nothing really out of the ordinary with netstat -ab
- I'll check safe mode, I can't remember if I checked that already or not.

kshays
0
 
LVL 16

Author Comment

by:kshays
ID: 16895305
the sfc /scannow was fine.

Booting into safe mode did rectifiy the problem with the winlogon.exe cpu usage though.  Now there is finally some light shedding :)

kshays
0
 
LVL 32

Accepted Solution

by:
r-k earned 300 total points
ID: 16895344
That's interesting. It means there is some add-on program or service (e.g. AV or something like that) that might be causing this. You could start by disabling everything in the "Startup" tab in msconfig then bot in normal mode and see if that helps.
0
 
LVL 16

Author Comment

by:kshays
ID: 16895433
Nothing starting up now, but problem still persist.  Going to see if anything looks weird for the services that are being started.

kshays
0
 
LVL 32

Expert Comment

by:r-k
ID: 16895475
A good program in this regard is Autoruns (http://www.sysinternals.com/Utilities/Autoruns.html)

Good idea to selectively disable services as well.
0
 
LVL 16

Author Comment

by:kshays
ID: 16895526
Compared services from my machine to another generic workstation and came up with a few.

telephony, virtual server helper, virtual server was only ones that were running on mine that wasn't on the other station.

downloading autoruns now.

thanks,

kshays
0
 
LVL 16

Author Comment

by:kshays
ID: 16895542
Wow, autoruns looks pretty awesome :)

0
 
LVL 16

Author Comment

by:kshays
ID: 16896663
still no luck.  I'm thinking it is a service that is starting up, but i've killed almost all I could and tested the others to no avail.  I'm wondering if installing virtual server 2005 r2 on the machine has any effect on the winlogon process?

kshays
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16897042
Have you tried to install the genuine software when downloading Windows updates???
0
 
LVL 16

Author Comment

by:kshays
ID: 16897649
Yes.
0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 100 total points
ID: 16897711
Can you Uninstall it please? the notification and the IE genuine tool.

You can do so by going to add/remove or by going to registry..
Goto Start --> Run --> type regedit and enter..

Navigate to the following Reg key..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Click on the "+" next to Notify folder to drop down the folders tree, and right click on WGAlogon then export it desktop and then delete it.

Go back to this key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

On the right pane, check the Shell Reg name as it should be as follows when you double click it...

Value Name
Shell

Value Data:
Explorer.exe

Then restart your computer and check again.

0
 
LVL 16

Author Comment

by:kshays
ID: 16898123
i'll check that out when I get to the office tomorrow morning.

regards,

kshays
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 16898340
Let's look at your winlogon notify key just incase something is hiding there.
Start > Run > type in

cmd

press Enter,
then copy and paste the text below into your command prompt, notepad will open with some text, post the notepad contents back here.
----------------------------------------------------------------------------------------------------------------

regedit /e c:\bad.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
start c:\bad.txt

0
 
LVL 16

Author Comment

by:kshays
ID: 16902135
Well it appears i'll have to close this question.  It appears that there are other things wrong with my system as well, hardware related that is.  Looks like i'm going to have to build a pc for me out of scrap parts here at work.

I did check the winlogon key details in the hklm hive the other day and didn't notice anything unusual.  That was before I posted the question though.

I'll split the points up and thank you for your time :)

regards,

kshays
0
 
LVL 32

Expert Comment

by:r-k
ID: 16908366
OK, good luck. The last time I had something similar happen, it turned out to be a loose IDE cable (and there was a constant 20% usage shown in Task Manager). I think what happens is that if the CPU is busy due to hardware or software interrupts, the Task Manager just assigns that CPU usage to some seemingly random process (though I am not sure of this). I am a bit disappointed that Process Explorer did not help in this case, though it is still a great program.

In case you get a more definite resolution do let us know. Thanks!
0
 
LVL 16

Author Comment

by:kshays
ID: 16908483
Thanks, just didn't really make any sense though why it happened.  I did have to reinstall xp sp2 pro though, but before I could do that I had to switch out the dvd drive.  Darn thing would not boot yet hardly read any cd/dvd's at all.  It's one of those dell optiplex with the hot swapable dvd drives.  I wish I just had a good old plain tower for my workstation that I built instead ;)

Yeah, the process explorer and other utilities are very nice, i just cannot believe that i've not used them before this though.

I still believe in the back of my mind that the dvd drive had something to do with the problem though.

regards,

kshays :)

0
 
LVL 1

Expert Comment

by:QZee
ID: 20628826
**** New Fix ********

I experienced this issue when my PC rebooted due to power failure.
I suspect it caused an issue with an offline file sync and the client is polling the server with an expired ticket of something.
A clear symptom is that the PC hangs when you select the offline files tab in folder options in Windows Explorer.
Anyway, these steps resets the CSC (offline files) dadtabase and fixed the problem.

If you cannot access the Offline Files tab, use this method to reinitialize the Offline Files (CSC) cache on the system by modifying the registry. Use this method also to reinitialize the offline files database/client-side cache on multiple systems. Add the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache
Key Name: FormatDatabase
Key Type: DWORD
Key Value: 1
Note The actual value of the registry key is ignored. This registry change requires a restart. When the computer is restarting, the shell will reinitialize the CSC cache and then delete the registry key if the registry entry exists.

Warning All cache files are deleted and unsynchronized data is lost.
0
 

Expert Comment

by:afreemaniii
ID: 20823937
QZee-great solution!!  That did the trick for me.  I'm sorry that the ticket is already closed and I can't give you any points.  
0
 
LVL 1

Expert Comment

by:fco_jimenez
ID: 21458489
Qzee solution worked for me too. Exactly the same symptoms: winlogon 50% cpu usage and a long delay logging in. I ended disabling the Offline Folder's altogether in other to get rid completely of the problem.
0
 
LVL 2

Expert Comment

by:chand_shahzad
ID: 22518273
Qzee. Thanks. Its works greatly.
0
 

Expert Comment

by:txbigden1
ID: 30135752
QZee..you are my hero!!!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now