• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11552
  • Last Modified:

Winlogon.exe sits at 50% cpu

After googling and other troubleshooting methods, i need some other opinions on this situation.

Running dell optiplex pentium4 with 1 gig of memory.
OS is xp sp2 with all the latest hotfixes.

The workstation (mine) was fine on friday when I left, but when I came in this morning I noticed that IE had the IE enhanced security enabled on it. I didn't install the enchanced security settings either.  In IE on the security tab for the "internet" it is set to "high" and that is the only option now.

Another thing is my "winlogon.exe" process is taking 50-51% cpu usage in task manager.  I have viewed this in other process exploreres and it shows 4 instances of "winlogon.exe" is running, but in the windows task manager it shows only one.

I have already ran all of your normal spyware, virus protection programs which include hijackthis, spybot, adaware, windows defender, trend micro, mcafee, panda, bitdefender.  No viruses were found and only a few things were found for spyware/malware which looked like the normal entries I find all the time I scan.

My question is if it's not a virus/spyware then why/how/what made my IE settings be hardended over the weekend and the winlogon.exe process stay at 50%?

My main concern right now is the winlogon.exe process taking that much cpu usage at all times.

regards,

kshays
0
Kevin Hays
Asked:
Kevin Hays
  • 19
  • 9
  • 7
  • +6
3 Solutions
 
r-kCommented:
Where are these winlogon processes running from?

For comparison, my winlogon.exe file is 491 KB in size dated 8/4/2004 and resides in the c:\windows\system32 folder.

If you have winlogon running from other location that might indicate a problem.
0
 
Kevin HaysIT AnalystAuthor Commented:
Exactly like you stated :(

No other instances of winlogon are on my system.

regards,

kshays
0
 
r-kCommented:
Try disabling the AV software that is currently installed, and see if that makes a difference.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
Kevin HaysIT AnalystAuthor Commented:
Tried that as well.  Even went into safe mode and ran the apps from that perspective as well.
Here is a list off the top of my head that i've done already.

- checked to make sure no other instances of "winlogon.exe" is on my system.
- ran all usual spyware/malware/antivirus programs in normal and safe mode.
- killed smss.exe and lsass.exe then tried to kill winlogon.exe (winlogon.exe was not able to be killed).  Actually it said it was, but it never went away.  I was using, hmm, process explorer I think from sysinternals.
- check registry entries in the run section.  Nothing in there that shouldn't be.  Actually just one item and it was the ctfmon.
- hijackthis didn't show anything recent or unusual either.
- checked eventvwr logs.
- did notice that it looked like someone looged onto my system at 4:17 pm saturday though considering my pc was off friday night and was off again monday morning.  The log was the printer driver was not installed locally on the server and source computer was my stations name.  Only time I see that warning when I or someone else remote desktops to either an application server or I remote manage the servers.
- I do have a feeling that a former employee gained access to our network considering the router, dmz and local switches were configured the same way as when he(it manager) left a month or so ago, which this is NOT good at all.  The network was configured as follows (green, orange, red networks was all connected together and all authentication was coming in on the local (green network)!!!

There are other things i've done also, just can't really remember right now.  I've seen articles mentioned that it's possible it could be hardware related??  Not sure about that one, but I know I cannot boot from a cd anymore though.  Darn dell workstation cannot recognize it for some reason.  That's a whole other story i've battled today as well.

thanks,

kshays :)
0
 
r-kCommented:
Seems like you've done a lot, but might want to try the following two:

(1) RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html

(2) Process Explorer from: http://www.sysinternals.com/Utilities/ProcessExplorer.html

 Process Explorer can sometimes give you an insight about what the process is doing in more detail. It's also quick to run so you might try that before RootkitRevealer.

Have to run but will check back in a couple hours.

Good luck.
0
 
rpggamergirlCommented:
Can we please look at your hijackthis log?
It would show there if there are culprits using the winlogon key.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
Kevin HaysIT AnalystAuthor Commented:
Yeah, that's the explorer that I used.  I noticed 4 winlog.exe programs running with the main one having the dependencies for it.  I was able to kill it after I killed 2 previous processes.  It didn't kill the other 3 though and I was unable to kill those.

Example:

Winlogon.exe
- services
- other
- others
Winlogon.exe
Winlogon.exe
crss.exe
explorer.exe
- winword.exe
- others

I'll download the rootkitrevealer and see what I can find with that one also.

PS:  I noticed with security explorer and the messages from winlogon.exe i'm getting a bunch of messages about low battery warnings and other warnings about the battery for some reason.

kshays
0
 
rpggamergirlCommented:
You have "winlog.exe" running?
OK, that is Alcan/P2P Network worm, your hijackthis log should confirm it.

Anyway once confirmed, here is the fix, unless it comes with new variants this should fix it.

1. Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

2. Download Alcra PLUS Remover.
http://metallica.geekstogo.com/alcanshorty.bfu 
Save it in the same folder you made earlier (c:\BFU) <-- Important

Reboot to Safe Mode.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows
0
 
Kevin HaysIT AnalystAuthor Commented:
DOH, i mispelled that, it's winlogon.exe, sorry :(

I'll most definately take a look into those also though.  I'm game right now ;)

kshays

PS:  i'll post the hijack log in a few minutes, taking a little longer to rd to my workstation from home, dang process is making it slow to access stuff!
0
 
rpggamergirlCommented:
No need to run those if you haven't got the Alcan worm,

Please let us look at your hijackthis log, I'm positive we can pinpoint the culprit if it show up there.
0
 
Kevin HaysIT AnalystAuthor Commented:
*nods*

Looks like i'll have to post my results tomorrow morning.  It appears that i'm going to physically reset my workstation at work :(

I'll post back if I can get access to it.

regards,

kshays
0
 
Mohammed HamadaSenior IT ConsultantCommented:
0
 
r-kCommented:
A hardware problem can't be ruled out, but Process Explorer can help there. If it is a hardware issue, you will see the item "Interrupts" using a large percentage of CPU time (in Process Explorer).

A rootkitrevealer log will be most interesting, esp. if there is a hidden driver (.sys) somewhere. I've seen a few cases where the only symptom was an unexplained usage of CPU in Task Manager.

You say you already  disabled the AV programs, that is the third reason I've seen for such a symptom.

(moh10ly: the link you cited has a description of a similar problem, but no solution. Did I miss something there?)


0
 
Mohammed HamadaSenior IT ConsultantCommented:
Yep true r-k, but I didn't finish my post as i have posted it to ask the questionire if he has any crashes when this occurs..!?

As I have read/seen in alot of other threads about the winlogon which is responsible for the log in/log out, registeration code and user settings, It also could be a virus "W32.Netsky.D" or a "Backdoor trojan" W32/Backdoor-CFB.

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html

The file by default is located on %windir%\System32...!

Also You have to check weather if the file name is WinLogon.exe OR WinIogon.exe By I not L, The file originaly is WinLogon.exe, If it was by I then you must delete it.

and regarding to the many files OF Winlogon.exe you should restart to command prompt mode and delete those files from windows and system32 Directory, In case you couldn't then you should do a repair install to replace those files.

OR goto Start --> Run --> type sfc /scannow and enter           "Insert XP CD and wait till it finish, restart your computer And check back".
0
 
rpggamergirlCommented:
A lot of malware/viruses/trojans use the winlogon key just like vundo, look2me, blackworm, Universa, ULWindowSeek, ULWindowURL etc to avoid detection and hard removal.
That's where Hijackthis comes into the rescue which can give us the exact picture of the malware.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
True rpggamegirl, and in this case i guess that you need to provide  kshays a link for Hijackthis with an explination on how to use with in pictures to make it easier on him..!

0
 
rpggamergirlCommented:
Yeah, it's in my first post {http:#16890729}
0
 
Mohammed HamadaSenior IT ConsultantCommented:
0
 
Kevin HaysIT AnalystAuthor Commented:
Ok, here is the link to the hijackthis.  I did notice a winlogon notify entry 020 in there now which wasn't before, but I guess that's probably because I reinstalled xp by just doing an upgrade on it only.

http://www.hijackthis.de/#anl
http://www.hijackthis.de/logfiles/2cdd58483d6175b178df16e76739b54f.html

I'm going to read the other comments now :)

thanks,

kshays
0
 
Kevin HaysIT AnalystAuthor Commented:
Ok, just got through reading all the other posts from last night that I missed.

With process explorer the hardware interrupts do not use any cpu at all.
- There is only 1 process for "winlogon.exe" now.
By the way the "rkilsrv.exe" is used by me.

going to run rootkitrevealer now.

kshays
0
 
r-kCommented:
Nothing obviously bad in the HJT log, so most likely you don't have traditional malware.
0
 
Kevin HaysIT AnalystAuthor Commented:
Scan completed with no discrepenciens found with rootkitrevealer as well.

*ponder*

Yeah, that's what I thought as well from the HJT log.

regards,

kshays
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Do a repair installation..! or run the sfc /scannow command..!
0
 
Kevin HaysIT AnalystAuthor Commented:
Already performed the repair installation, i'll try the sfc again to make sure.

regards,

kshays
0
 
r-kCommented:
Does Process Explorer now show one copy, or four copies, of winlogon.exe?

Does the winlogon.exe cpu usage happen in safe mode also?

Anything interesting if you run "netstat -ab" from a command prompt?

If you login as a different username, does the problem go away?

0
 
Kevin HaysIT AnalystAuthor Commented:
- Ony shows 1 copy now of winlogon.exe
- Whether it's on the domain or local worsktation with different usernames it's the same.
- Nothing really out of the ordinary with netstat -ab
- I'll check safe mode, I can't remember if I checked that already or not.

kshays
0
 
Kevin HaysIT AnalystAuthor Commented:
the sfc /scannow was fine.

Booting into safe mode did rectifiy the problem with the winlogon.exe cpu usage though.  Now there is finally some light shedding :)

kshays
0
 
r-kCommented:
That's interesting. It means there is some add-on program or service (e.g. AV or something like that) that might be causing this. You could start by disabling everything in the "Startup" tab in msconfig then bot in normal mode and see if that helps.
0
 
Kevin HaysIT AnalystAuthor Commented:
Nothing starting up now, but problem still persist.  Going to see if anything looks weird for the services that are being started.

kshays
0
 
r-kCommented:
A good program in this regard is Autoruns (http://www.sysinternals.com/Utilities/Autoruns.html)

Good idea to selectively disable services as well.
0
 
Kevin HaysIT AnalystAuthor Commented:
Compared services from my machine to another generic workstation and came up with a few.

telephony, virtual server helper, virtual server was only ones that were running on mine that wasn't on the other station.

downloading autoruns now.

thanks,

kshays
0
 
Kevin HaysIT AnalystAuthor Commented:
Wow, autoruns looks pretty awesome :)

0
 
Kevin HaysIT AnalystAuthor Commented:
still no luck.  I'm thinking it is a service that is starting up, but i've killed almost all I could and tested the others to no avail.  I'm wondering if installing virtual server 2005 r2 on the machine has any effect on the winlogon process?

kshays
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Have you tried to install the genuine software when downloading Windows updates???
0
 
Kevin HaysIT AnalystAuthor Commented:
Yes.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Can you Uninstall it please? the notification and the IE genuine tool.

You can do so by going to add/remove or by going to registry..
Goto Start --> Run --> type regedit and enter..

Navigate to the following Reg key..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Click on the "+" next to Notify folder to drop down the folders tree, and right click on WGAlogon then export it desktop and then delete it.

Go back to this key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

On the right pane, check the Shell Reg name as it should be as follows when you double click it...

Value Name
Shell

Value Data:
Explorer.exe

Then restart your computer and check again.

0
 
Kevin HaysIT AnalystAuthor Commented:
i'll check that out when I get to the office tomorrow morning.

regards,

kshays
0
 
rpggamergirlCommented:
Let's look at your winlogon notify key just incase something is hiding there.
Start > Run > type in

cmd

press Enter,
then copy and paste the text below into your command prompt, notepad will open with some text, post the notepad contents back here.
----------------------------------------------------------------------------------------------------------------

regedit /e c:\bad.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
start c:\bad.txt

0
 
Kevin HaysIT AnalystAuthor Commented:
Well it appears i'll have to close this question.  It appears that there are other things wrong with my system as well, hardware related that is.  Looks like i'm going to have to build a pc for me out of scrap parts here at work.

I did check the winlogon key details in the hklm hive the other day and didn't notice anything unusual.  That was before I posted the question though.

I'll split the points up and thank you for your time :)

regards,

kshays
0
 
r-kCommented:
OK, good luck. The last time I had something similar happen, it turned out to be a loose IDE cable (and there was a constant 20% usage shown in Task Manager). I think what happens is that if the CPU is busy due to hardware or software interrupts, the Task Manager just assigns that CPU usage to some seemingly random process (though I am not sure of this). I am a bit disappointed that Process Explorer did not help in this case, though it is still a great program.

In case you get a more definite resolution do let us know. Thanks!
0
 
Kevin HaysIT AnalystAuthor Commented:
Thanks, just didn't really make any sense though why it happened.  I did have to reinstall xp sp2 pro though, but before I could do that I had to switch out the dvd drive.  Darn thing would not boot yet hardly read any cd/dvd's at all.  It's one of those dell optiplex with the hot swapable dvd drives.  I wish I just had a good old plain tower for my workstation that I built instead ;)

Yeah, the process explorer and other utilities are very nice, i just cannot believe that i've not used them before this though.

I still believe in the back of my mind that the dvd drive had something to do with the problem though.

regards,

kshays :)

0
 
QZeeCommented:
**** New Fix ********

I experienced this issue when my PC rebooted due to power failure.
I suspect it caused an issue with an offline file sync and the client is polling the server with an expired ticket of something.
A clear symptom is that the PC hangs when you select the offline files tab in folder options in Windows Explorer.
Anyway, these steps resets the CSC (offline files) dadtabase and fixed the problem.

If you cannot access the Offline Files tab, use this method to reinitialize the Offline Files (CSC) cache on the system by modifying the registry. Use this method also to reinitialize the offline files database/client-side cache on multiple systems. Add the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache
Key Name: FormatDatabase
Key Type: DWORD
Key Value: 1
Note The actual value of the registry key is ignored. This registry change requires a restart. When the computer is restarting, the shell will reinitialize the CSC cache and then delete the registry key if the registry entry exists.

Warning All cache files are deleted and unsynchronized data is lost.
0
 
afreemaniiiCommented:
QZee-great solution!!  That did the trick for me.  I'm sorry that the ticket is already closed and I can't give you any points.  
0
 
fco_jimenezCommented:
Qzee solution worked for me too. Exactly the same symptoms: winlogon 50% cpu usage and a long delay logging in. I ended disabling the Offline Folder's altogether in other to get rid completely of the problem.
0
 
chand_shahzadCommented:
Qzee. Thanks. Its works greatly.
0
 
txbigden1Commented:
QZee..you are my hero!!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 19
  • 9
  • 7
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now