winlogon.exe: Virus or not?

KING LITERATE

Googling it only adds to the confusion. Some sites say it's a virus, others not

What do you guys think?

L Ron Howard

Not a virus.

BoomShake

First Google result

The process "winlogon.exe" runs in the background. Winlogon is a part of the Windows Login subsystem, and is necessary for user authorization and Windows activation checks.

Note: The winlogon.exe file is located in the folder C:\Windows\System32. In other cases, winlogon.exe is a virus, spyware, trojan or worm!

L Ron Howard

The virus one has a much larger footprint.

Hevach

L Ron Howard wrote: »

The virus one has a much larger footprint.

Also, based on the one time I encountered it, you'll have two winlogin.exe's in the task list, one of which will be owned by the current user.

urahonky

The reason it rings alarm bells for me is that it doesn't have a description, while mine does.... Can you right click-> open file location and see it there?

ashridah

While this is hardly definitive, that Winlogon.exe process is using about 10 times more memory than the ones on any of my machines. (mine are win7 though, and you don't mention which version of windows you have), and as urahonky mentions, it's missing the process description. The file properties and other parts of it should read "Windows Logon Application". If your version of winlogon.exe doesn't have that set, then it's more likely that something's not quite right.

I'd be looking to do a scan and cleanup from a clean system, if you can, just to be on the safe side.

Hahnsoo1

The winlogon.exe process can be a system resource, but it's a common target for various trojans and worms. The one I've experienced (from clicking a link, of all things) was the Vundo worm, but there are many many others. Typically, the virus/trojan one will be in a directory other than the System directory, like in Documents and Settings.

KING LITERATE

ashridah wrote: »

While this is hardly definitive, that Winlogon.exe process is using about 10 times more memory than the ones on any of my machines. (mine are win7 though, and you don't mention which version of windows you have), and as urahonky mentions, it's missing the process description. The file properties and other parts of it should read "Windows Logon Application". If your version of winlogon.exe doesn't have that set, then it's more likely that something's not quite right.

I'd be looking to do a scan and cleanup from a clean system, if you can, just to be on the safe side.

I'm using Vista Ultimate, and the reason I didn't have a description for winlogon was because I wasn't logged on as Administrator.

Anyway, here's what my Task Manager looks like now (take note Office is only there because of a homework assignment I'm currently doing)

KING LITERATE

Okay, now I'm really worried. I don't really think it's supposed to duplicates:

Ultimanecat

What are you worried about in that picture? It's fine to have multiple instances of svchost.exe running if that is what's concerning you.

Psychotic One

If you are really worried try running Malware Bytes and what ever Anti-virus you have on your computer. If its a fake it should be found and killed by either program.

ronya

If you worry about this sort of thing, go download Microsoft's sysinternals process explorer. Set it to show command line and user name.

This is what it'll look like:

Lots more info to chew on. It can check file digital signatures, too.