CROSS-POST - winlogon.exe consuming 50% CPU time

  • Thread starter Mike in Nebraska
  • Start date
M

Mike in Nebraska

[also posted on microsoft.public.windowsxp.security_admin]
Running WinXP Pro SP3.
========
I did some checking yesterday to see why my PC was "slow" and found that
this process was using !50% of the CPU time. Did a reboot, same thing.
Googles it and saw I might have malware so I ran Symantec AV, Windows
Defender in full scan, Sysinternal's Rootkit Revealer, and Windows Malicious
Software Removal. They found nothing.

I ran Sysinternal's Process Explorer and found the following:

winlogon.exe >> Properties >> Threads
TID 3108 consumes ~52% of CPU time and CSwitch Delta is ~160, and Start
Address is winlogon.exe+0x39156, and Context Switches is ~68,000.

The total thread count for this process is 22.

I've gone through msconfig to pare down what auto-starts with the same
results.

What else should I check?
 
D

David H. Lipman

From: "Mike in Nebraska" <[email protected]>

| [also posted on microsoft.public.windowsxp.security_admin]
| Running WinXP Pro SP3.
| ========
| I did some checking yesterday to see why my PC was "slow" and found that
| this process was using !50% of the CPU time. Did a reboot, same thing.
| Googles it and saw I might have malware so I ran Symantec AV, Windows
| Defender in full scan, Sysinternal's Rootkit Revealer, and Windows Malicious
| Software Removal. They found nothing.
|
| I ran Sysinternal's Process Explorer and found the following:
|
| winlogon.exe >> Properties >> Threads
| TID 3108 consumes ~52% of CPU time and CSwitch Delta is ~160, and Start
| Address is winlogon.exe+0x39156, and Context Switches is ~68,000.
|
| The total thread count for this process is 22.
|
| I've gone through msconfig to pare down what auto-starts with the same
| results.
|
| What else should I check?
|


Actullay you Multi-Posted not Cross-Posted.

Process Explorer shows the fully qualified path to the running process.

What is the fully qualified path to winlogon.exe ?
 
M

Mike_in_Nebraska

I'm at home now, and I don't remember seeing it. I'll look at it
Monday.
 
M

Mike in Nebraska

Sorry to reply so late ...... the path to the file is:
C:\WINDOWS\system32\winlogon.exe

Mike
 
D

David H. Lipman

From: "Mike in Nebraska" <[email protected]>

| Sorry to reply so late ...... the path to the file is:
| C:\WINDOWS\system32\winlogon.exe
|
| Mike
|


That's the legitimate file. The question is are there hooks in Winlogon that is causing a
higher CPU utilization.

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Save a log and open it in Notepad.

Find the lines that start with "O20 - Winlogon ..."
Copy and paste ONLY those lines in your reply.
 
M

Mike in Nebraska

Did as suggested but no entries of "O20 Winlogon" were in the log file.

Mike
 
D

David H. Lipman

From: "Mike in Nebraska" <[email protected]>

| Did as suggested but no entries of "O20 Winlogon" were in the log file.
|
| Mike


Thank you.
I am at a loss of why you have high utilization :-(
 
M

Mike in Nebraska

Well, maybe it's not all a loss of time. It would appear not to be malware.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Winlogon.exe consuming CPU 3
Winlogon.exe doing 100% CPU time 4
System process running 50% of CPU 10
System Process Consuming Over 50% of CPU Resource 3
explorer.exe consuming 98-99% CPU activity 3
50% kernel time on IDLE time 1
System process is taking over 50% of CPU time 10
LSAss process using 50%-60% CPU time 1

Top