Winlogon.exe sits at 50% cpu

Where are these winlogon processes running from?

For comparison, my winlogon.exe file is 491 KB in size dated 8/4/2004 and resides in the c:\windows\system32 folder.

If you have winlogon running from other location that might indicate a problem.

Exactly like you stated :(

No other instances of winlogon are on my system.

regards,

kshays

Try disabling the AV software that is currently installed, and see if that makes a difference.

Tried that as well.  Even went into safe mode and ran the apps from that perspective as well.
Here is a list off the top of my head that i've done already.

- checked to make sure no other instances of "winlogon.exe" is on my system.
- ran all usual spyware/malware/antivirus programs in normal and safe mode.
- killed smss.exe and lsass.exe then tried to kill winlogon.exe (winlogon.exe was not able to be killed).  Actually it said it was, but it never went away.  I was using, hmm, process explorer I think from sysinternals.
- check registry entries in the run section.  Nothing in there that shouldn't be.  Actually just one item and it was the ctfmon.
- hijackthis didn't show anything recent or unusual either.
- checked eventvwr logs.
- did notice that it looked like someone looged onto my system at 4:17 pm saturday though considering my pc was off friday night and was off again monday morning.  The log was the printer driver was not installed locally on the server and source computer was my stations name.  Only time I see that warning when I or someone else remote desktops to either an application server or I remote manage the servers.
- I do have a feeling that a former employee gained access to our network considering the router, dmz and local switches were configured the same way as when he(it manager) left a month or so ago, which this is NOT good at all.  The network was configured as follows (green, orange, red networks was all connected together and all authentication was coming in on the local (green network)!!!

There are other things i've done also, just can't really remember right now.  I've seen articles mentioned that it's possible it could be hardware related??  Not sure about that one, but I know I cannot boot from a cd anymore though.  Darn dell workstation cannot recognize it for some reason.  That's a whole other story i've battled today as well.

thanks,

kshays :)

Seems like you've done a lot, but might want to try the following two:

(1) RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html

(2) Process Explorer from: http://www.sysinternals.com/Utilities/ProcessExplorer.html

 Process Explorer can sometimes give you an insight about what the process is doing in more detail. It's also quick to run so you might try that before RootkitRevealer.

Have to run but will check back in a couple hours.

Good luck.

Can we please look at your hijackthis log?
It would show there if there are culprits using the winlogon key.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.

Yeah, that's the explorer that I used.  I noticed 4 winlog.exe programs running with the main one having the dependencies for it.  I was able to kill it after I killed 2 previous processes.  It didn't kill the other 3 though and I was unable to kill those.

Example:

Winlogon.exe
- services
- other
- others
Winlogon.exe
Winlogon.exe
crss.exe
explorer.exe
- winword.exe
- others

I'll download the rootkitrevealer and see what I can find with that one also.

PS:  I noticed with security explorer and the messages from winlogon.exe i'm getting a bunch of messages about low battery warnings and other warnings about the battery for some reason.

kshays

You have "winlog.exe" running?
OK, that is Alcan/P2P Network worm, your hijackthis log should confirm it.

Anyway once confirmed, here is the fix, unless it comes with new variants this should fix it.

1. Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

2. Download Alcra PLUS Remover.
http://metallica.geekstogo.com/alcanshorty.bfu 
Save it in the same folder you made earlier (c:\BFU) <-- Important

Reboot to Safe Mode.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows

DOH, i mispelled that, it's winlogon.exe, sorry :(

I'll most definately take a look into those also though.  I'm game right now ;)

kshays

PS:  i'll post the hijack log in a few minutes, taking a little longer to rd to my workstation from home, dang process is making it slow to access stuff!

No need to run those if you haven't got the Alcan worm,

Please let us look at your hijackthis log, I'm positive we can pinpoint the culprit if it show up there.

*nods*

Looks like i'll have to post my results tomorrow morning.  It appears that i'm going to physically reset my workstation at work :(

I'll post back if I can get access to it.

regards,

kshays

Have a look Here..
http://www.petri.co.il/forums/showthread.php?t=3977

A hardware problem can't be ruled out, but Process Explorer can help there. If it is a hardware issue, you will see the item "Interrupts" using a large percentage of CPU time (in Process Explorer).

A rootkitrevealer log will be most interesting, esp. if there is a hidden driver (.sys) somewhere. I've seen a few cases where the only symptom was an unexplained usage of CPU in Task Manager.

You say you already  disabled the AV programs, that is the third reason I've seen for such a symptom.

(moh10ly: the link you cited has a description of a similar problem, but no solution. Did I miss something there?)

Yep true r-k, but I didn't finish my post as i have posted it to ask the questionire if he has any crashes when this occurs..!?

As I have read/seen in alot of other threads about the winlogon which is responsible for the log in/log out, registeration code and user settings, It also could be a virus "W32.Netsky.D" or a "Backdoor trojan" W32/Backdoor-CFB.

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html

The file by default is located on %windir%\System32...!

Also You have to check weather if the file name is WinLogon.exe OR WinIogon.exe By I not L, The file originaly is WinLogon.exe, If it was by I then you must delete it.

and regarding to the many files OF Winlogon.exe you should restart to command prompt mode and delete those files from windows and system32 Directory, In case you couldn't then you should do a repair install to replace those files.

OR goto Start --> Run --> type sfc /scannow and enter           "Insert XP CD and wait till it finish, restart your computer And check back".

A lot of malware/viruses/trojans use the winlogon key just like vundo, look2me, blackworm, Universa, ULWindowSeek, ULWindowURL etc to avoid detection and hard removal.
That's where Hijackthis comes into the rescue which can give us the exact picture of the malware.

True rpggamegirl, and in this case i guess that you need to provide  kshays a link for Hijackthis with an explination on how to use with in pictures to make it easier on him..!

Yeah, it's in my first post {http:#16890729}

I meant like this ...
http://www.pcentraide.com/index.php?showtopic=796

Ok, here is the link to the hijackthis.  I did notice a winlogon notify entry 020 in there now which wasn't before, but I guess that's probably because I reinstalled xp by just doing an upgrade on it only.

http://www.hijackthis.de/#anl
http://www.hijackthis.de/logfiles/2cdd58483d6175b178df16e76739b54f.html

I'm going to read the other comments now :)

thanks,

kshays

Ok, just got through reading all the other posts from last night that I missed.

With process explorer the hardware interrupts do not use any cpu at all.
- There is only 1 process for "winlogon.exe" now.
By the way the "rkilsrv.exe" is used by me.

going to run rootkitrevealer now.

kshays

Nothing obviously bad in the HJT log, so most likely you don't have traditional malware.

Scan completed with no discrepenciens found with rootkitrevealer as well.

*ponder*

Yeah, that's what I thought as well from the HJT log.

regards,

kshays

Do a repair installation..! or run the sfc /scannow command..!

Already performed the repair installation, i'll try the sfc again to make sure.

regards,

kshays

Does Process Explorer now show one copy, or four copies, of winlogon.exe?

Does the winlogon.exe cpu usage happen in safe mode also?

Anything interesting if you run "netstat -ab" from a command prompt?

If you login as a different username, does the problem go away?

- Ony shows 1 copy now of winlogon.exe
- Whether it's on the domain or local worsktation with different usernames it's the same.
- Nothing really out of the ordinary with netstat -ab
- I'll check safe mode, I can't remember if I checked that already or not.

kshays

the sfc /scannow was fine.

Booting into safe mode did rectifiy the problem with the winlogon.exe cpu usage though.  Now there is finally some light shedding :)

kshays

Nothing starting up now, but problem still persist.  Going to see if anything looks weird for the services that are being started.

kshays

A good program in this regard is Autoruns (http://www.sysinternals.com/Utilities/Autoruns.html)

Good idea to selectively disable services as well.

Compared services from my machine to another generic workstation and came up with a few.

telephony, virtual server helper, virtual server was only ones that were running on mine that wasn't on the other station.

downloading autoruns now.

thanks,

kshays

Wow, autoruns looks pretty awesome :)

still no luck.  I'm thinking it is a service that is starting up, but i've killed almost all I could and tested the others to no avail.  I'm wondering if installing virtual server 2005 r2 on the machine has any effect on the winlogon process?

kshays

Have you tried to install the genuine software when downloading Windows updates???

Yes.

i'll check that out when I get to the office tomorrow morning.

regards,

kshays

Well it appears i'll have to close this question.  It appears that there are other things wrong with my system as well, hardware related that is.  Looks like i'm going to have to build a pc for me out of scrap parts here at work.

I did check the winlogon key details in the hklm hive the other day and didn't notice anything unusual.  That was before I posted the question though.

I'll split the points up and thank you for your time :)

regards,

kshays

OK, good luck. The last time I had something similar happen, it turned out to be a loose IDE cable (and there was a constant 20% usage shown in Task Manager). I think what happens is that if the CPU is busy due to hardware or software interrupts, the Task Manager just assigns that CPU usage to some seemingly random process (though I am not sure of this). I am a bit disappointed that Process Explorer did not help in this case, though it is still a great program.

In case you get a more definite resolution do let us know. Thanks!

Thanks, just didn't really make any sense though why it happened.  I did have to reinstall xp sp2 pro though, but before I could do that I had to switch out the dvd drive.  Darn thing would not boot yet hardly read any cd/dvd's at all.  It's one of those dell optiplex with the hot swapable dvd drives.  I wish I just had a good old plain tower for my workstation that I built instead ;)

Yeah, the process explorer and other utilities are very nice, i just cannot believe that i've not used them before this though.

I still believe in the back of my mind that the dvd drive had something to do with the problem though.

regards,

kshays :)

**** New Fix ********

I experienced this issue when my PC rebooted due to power failure.
I suspect it caused an issue with an offline file sync and the client is polling the server with an expired ticket of something.
A clear symptom is that the PC hangs when you select the offline files tab in folder options in Windows Explorer.
Anyway, these steps resets the CSC (offline files) dadtabase and fixed the problem.

If you cannot access the Offline Files tab, use this method to reinitialize the Offline Files (CSC) cache on the system by modifying the registry. Use this method also to reinitialize the offline files database/client-side cache on multiple systems. Add the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache
Key Name: FormatDatabase
Key Type: DWORD
Key Value: 1
Note The actual value of the registry key is ignored. This registry change requires a restart. When the computer is restarting, the shell will reinitialize the CSC cache and then delete the registry key if the registry entry exists.

Warning All cache files are deleted and unsynchronized data is lost.

QZee-great solution!!  That did the trick for me.  I'm sorry that the ticket is already closed and I can't give you any points.  

Qzee solution worked for me too. Exactly the same symptoms: winlogon 50% cpu usage and a long delay logging in. I ended disabling the Offline Folder's altogether in other to get rid completely of the problem.

Qzee. Thanks. Its works greatly.

QZee..you are my hero!!!