winlogon.exe consumes 50% CPU after XP Pro SP3 update

[Dale Chamberlain]

After updating my Windows XP Pro machine from SP2 to SP3, I have run into a
problem where winlogon.exe is consuming 50% CPU on an AMD dual core processor
machine.

Normal windows shutdown does not work. I am forced to hold down on the power
button to shut down the computer.

Any one else experiencing this problem? Any thoughts as to what is causing
it (besides the SP3 update)?

 

[Thee Chicago Wolf]

After updating my Windows XP Pro machine from SP2 to SP3, I have run into a

problem where winlogon.exe is consuming 50% CPU on an AMD dual core processor
machine.

Normal windows shutdown does not work. I am forced to hold down on the power
button to shut down the computer.

Any one else experiencing this problem? Any thoughts as to what is causing
it (besides the SP3 update)?

Well, I've seen this occur on some machines that have had SP3 just
installed on them. I let the system alone for a few minutes and
eventually it returns to 0% usage. It almost seemed as if it was doing
some sort of update and was using winlogon.exe in the process. The
next time I rebooted the computer it did not have any high CPU
utilization. Is it continuing to be at 50% even after a long duration
of use or time has passed?

A couple of KB articles have been released since SP3 was released. One
remains published and the other is still not yet available in the KB.

Go to Control Panel > Administrative Tools > Event Viewer and see if
there's anything weird in there (Red flags, yellow flags) relating to
the winlogon.exe process.

- Thee Chicago Wolf

 

[Dale Chamberlain]

I have left the machine run all day (12 hours or more) and it shows that
winlogon.exe continues to consume 50% of the CPU. Most of the time when I
boot up the machine, winlogon seems to behave normally. But then something
later triggers it to go into the 50% consumption mode and it won't stop until
I physically power off the computer. I can't even shut down normally; I have
to hold down on the power button to shut it down.

I looked at the Event Viewer and it shows no red or yellow flags related to
winlogon.exe. Today's session is clear of any flags, but yesterday's shows
where I had to crash Windows Media Player since it wouldn't end normally. I
don't know if that is related to the winlogon problem or not.

I fear I may have to reload Windows to get rid of this problem.

Dale

 

[PA Bear [MS MVP]]

Free unlimited installation and compatibility support is available for
Windows XP, but only for Service Pack 3 (SP3), until 14 Apr-09. Chat and
e-mail support is available only in the United States and Canada. Go to
http://support.microsoft.com/oas/default.aspx?gprid=1173 | select "Windows
XP" then select "Windows XP Service Pack 3"

 

[Thee Chicago Wolf]

I have left the machine run all day (12 hours or more) and it shows that

winlogon.exe continues to consume 50% of the CPU. Most of the time when I
boot up the machine, winlogon seems to behave normally. But then something
later triggers it to go into the 50% consumption mode and it won't stop until
I physically power off the computer. I can't even shut down normally; I have
to hold down on the power button to shut it down.

I looked at the Event Viewer and it shows no red or yellow flags related to
winlogon.exe. Today's session is clear of any flags, but yesterday's shows
where I had to crash Windows Media Player since it wouldn't end normally. I
don't know if that is related to the winlogon problem or not.

I fear I may have to reload Windows to get rid of this problem.

That's very suspicious behavior if winlogon.exe starts consuming CPU
cycles. We can surely see what's attached to Winlogon that may or may
not be causing it by downloading Process Explorer (Free, grab it here:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx), firing
it up, and looking at the Winlogon.exe process and anything attached
to it.

I opened up Process Explorer on my PC and can see services.exe, 5
instances of SVChost, spoolsv, mdm, and lsass.exe. I would guess yours
would look the same but my hunch is you'll see that one of the
svchost.exe's is doing some kind of monkey business. Try that next and
let me know what you find.

- Thee Chicago Wolf

 

[Dale Chamberlain]

Here is what Process Explorer is showing for winlogon.exe:

winlogon.exe
services.exe
svchost.exe
obroker.exe
rapimgr.exe
hpdarc.exe
svchost.exe
svchost.exe
wuauclt.exe
TPSrv.exe
svchost.exe
svchost.exe
spoolsv.exe
schedul2.exe
AppleMobileDeviceService.exe
mDNSResponder.exe
CepstralLicSrv.exe
cisvc.exe
cidaemon.exe
cidaemon.exe
DkService.exe
GoogleUpdaterService.exe
LSSrvc.exe
MDM.EXE
NBService.exe
nvsvc32.exe
PsCtrlS.exe
apvxdwin.exe
SrvLoad.exe
WebProxy.exe
PavBckPT.exe
PAVFNSVR.EXE
PavPrSrv.exe
PAVSRV51.EXE
AVENGINE.EXE
HPZipm12.exe
pskmssvc.exe
PSIService.exe
PSHost.exe
PsImSvc.exe
svchost.exe
ULCDRSvr.exe
nmsrvc.exe
alg.exe
FNPLicensingService.exe
dllhost.exe
msdtc.exe
lsass.exe

 

[Thee Chicago Wolf]

Here is what Process Explorer is showing for winlogon.exe:

winlogon.exe
services.exe
svchost.exe
obroker.exe
rapimgr.exe
hpdarc.exe
svchost.exe
svchost.exe
wuauclt.exe
TPSrv.exe
svchost.exe
svchost.exe
spoolsv.exe
schedul2.exe
AppleMobileDeviceService.exe
mDNSResponder.exe
CepstralLicSrv.exe
cisvc.exe
cidaemon.exe
cidaemon.exe
DkService.exe
GoogleUpdaterService.exe
LSSrvc.exe
MDM.EXE
NBService.exe
nvsvc32.exe
PsCtrlS.exe
apvxdwin.exe
SrvLoad.exe
WebProxy.exe
PavBckPT.exe
PAVFNSVR.EXE
PavPrSrv.exe
PAVSRV51.EXE
AVENGINE.EXE
HPZipm12.exe
pskmssvc.exe
PSIService.exe
PSHost.exe
PsImSvc.exe
svchost.exe
ULCDRSvr.exe
nmsrvc.exe
alg.exe
FNPLicensingService.exe
dllhost.exe
msdtc.exe
lsass.exe

All that is beneath the winlogon.exe branch as shown in Process
Explorer!? That seems like a lot. In any case, when you have Process
Explorer open, watch for any specific application beneath winlogon.exe
that might be causing usage specifically. I don't suspect winlogon.exe
itself is doing this. Keep an eye on the CPU column and see if a
specific app in that list of yours is gobbling up cycles. In the
column to the right of the application, you can see some specifics
such Description and Company name. Note that info in your reply.

- Thee Chicago Wolf

 

[Dale Chamberlain]

Yes, all of these are listed under winlogon.exe. When I was running Process
Explorer, winlogon.exe itself was showing 49-50% CPU utilization, and
occassionally a process under it would flash .77% utilization. I never saw
any one process continually using CPU for long periods of time, except for
winlogon.exe.

I've run virus scans, spyware scans and nothing was found.

However, the last 3 times I've booted the machine everything seemed to be
normal. Then suddenly I get a popup "winlogon.exe - Application error
The instruction at "0x011bcad4" referenced memory at "0x011bcad4". The
memory could not be "written"
Click on OK to terminate the program
Click on CANCEL to debug the program"

Sometimes the addresses displayed are different, but in each case both the
"instruction at" and the "referenced memory" addresses are the same. Of
course, clicking on OK causes the system to reboot.

I'm thinking that it is time for the annual "Reload Windows" routine. Thank
you Microsoft!

 

[PA Bear [MS MVP]]

1. Free unlimited installation and compatibility support is available for
Windows XP, but only for Service Pack 3 (SP3), until 14 Apr-09. Chat and
e-mail support is available only in the United States and Canada. Go to
http://support.microsoft.com/oas/default.aspx?gprid=1173 | select "Windows
XP" then select "Windows XP Service Pack 3"

2. The behavior could be totally unrelated to the install of WinXP SP3.

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[Thee Chicago Wolf]

Yes, all of these are listed under winlogon.exe. When I was running Process

Explorer, winlogon.exe itself was showing 49-50% CPU utilization, and
occassionally a process under it would flash .77% utilization. I never saw
any one process continually using CPU for long periods of time, except for
winlogon.exe.

I've run virus scans, spyware scans and nothing was found.

However, the last 3 times I've booted the machine everything seemed to be
normal. Then suddenly I get a popup "winlogon.exe - Application error
The instruction at "0x011bcad4" referenced memory at "0x011bcad4". The
memory could not be "written"
Click on OK to terminate the program
Click on CANCEL to debug the program"

Sometimes the addresses displayed are different, but in each case both the
"instruction at" and the "referenced memory" addresses are the same. Of
course, clicking on OK causes the system to reboot.

I'm thinking that it is time for the annual "Reload Windows" routine. Thank
you Microsoft!

Well, maybe you don't have to throw in the towel just yet. Now if it
threw and exception, that should be in the Event Viewer and perhaps
even reference some other service (EXE) or perhaps a DLL it doesn't
like. Check event viewer again and see if there's anything there now.

There has been one update to winlogon.exe that was released since SP3
came out. If event viewer doesn't yield anything, visit
http://support.microsoft.com/kb/948277. While you aren't experiencing
the issue mentioned, it certainly would not hurt to get the fix and
apply it to see if it remedies your issue. You never know and I'm
hoping to spare you the trouble of reloading Windows.

If you want to try it, click the link "View and request hotfix
downloads" at the top of the page, accept the agreement, and fill in
the form. When you click submit, they send a link to the fix to the
e-mail address you supply within a minute or two. It'll be a password
protected file but they supply you with the password. Download,
extract the file, install the patch, reboot. Let me know how it goes.

- Thee Chicago Wolf

 

[Dale Chamberlain]

Thanks Thee Chicago Wolf,

I went to the Hotfix at http://support.microsoft.com/kb/948277 and applied
it. So far I have been running for a few hours now with the hotfix in place
and winlogon.exe has been behaving like it should, no usual CPU consumption
and no appication errors. I'm keeping my fingers crossed at this point since
this is the longest I've gone without some problem popping up.

Since the date of the winlogon.exe I had before the hotfix was 4-13-2008 and
now it is 4-24-2008, I am assuming it was a problem with the initial SP3
release.

Anyway, it is looking good! Thanks again,

Dale

 

[Thee Chicago Wolf]

Thanks Thee Chicago Wolf,

I went to the Hotfix at http://support.microsoft.com/kb/948277 and applied
it. So far I have been running for a few hours now with the hotfix in place
and winlogon.exe has been behaving like it should, no usual CPU consumption
and no appication errors. I'm keeping my fingers crossed at this point since
this is the longest I've gone without some problem popping up.

Since the date of the winlogon.exe I had before the hotfix was 4-13-2008 and
now it is 4-24-2008, I am assuming it was a problem with the initial SP3
release.

Anyway, it is looking good! Thanks again,

Dale

Cool. Thanks good info to know so that I can recommend this to others
with a similar issue. Yes, it is entirely possible that some issue
with the 4-13-2008 winlogon.exe was found and it's possible that it is
outside of the scope of the specifics in KB948277. Since it seems to
have worked for you there must have been something else in that fix
that address what was happening to you. Glad you didn't have to reload
Windows. Cheers.

- Thee Chicago Wolf

 

[Dale Chamberlain]

Well spoke too soon. The next day it was back to its old tricks. Right now
it is using 50% of the CPU.

I can't seem to find a pattern to what triggers it. If I try to open a
ticket with with Microsoft, my IE just sits there while it tries to run an
Activex control. It never comes back from it.

Other problems that I'm experiencing are:

IE 7 just goes away with no message;
Windows Media Player will not exit gracefully. Always does a minidump.
Quicklaunch items go away on subsequent reboots, even after restoring them
again and locking the taskbar.

The winlogon.exe is the biggest problem because it consume so many resources
and is a stability problem.

I'm going to start preparing for a reload of Windows. Question is do I try
and apply SP3 before I start reinstalling apps, or just stay away from SP3
altogether?

Dale

 

[PA Bear [MS MVP]]

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[Thee Chicago Wolf]

Well spoke too soon. The next day it was back to its old tricks. Right now

it is using 50% of the CPU.

I can't seem to find a pattern to what triggers it. If I try to open a
ticket with with Microsoft, my IE just sits there while it tries to run an
Activex control. It never comes back from it.

Other problems that I'm experiencing are:

IE 7 just goes away with no message;
Windows Media Player will not exit gracefully. Always does a minidump.
Quicklaunch items go away on subsequent reboots, even after restoring them
again and locking the taskbar.

The winlogon.exe is the biggest problem because it consume so many resources
and is a stability problem.

I'm going to start preparing for a reload of Windows. Question is do I try
and apply SP3 before I start reinstalling apps, or just stay away from SP3
altogether?

Oh man! Well, we tried.

If you really want to do a clean install, I do recommend you use your
XP CD, get the full SP3 from MS, and grab nlite 1.4.9 and use it to
create an SP3 slipstreamed CD so that when you re-install XP, it'll
already be at SP3 level. It will certainly tell you if SP3
winlogon.exe is culprit when you first boot. I don't think SP3 is what
caused the issue, it may have just exposed some issue on your machine
in its current state. I have had stellar success with a new install of
XP SP3 (slipstreamed) on a new batch of 100 Optiplex 755 Dells at my
site.

- Thee Chicago Wolf

 

[Alias]

Oh man! Well, we tried.

If you really want to do a clean install, I do recommend you use your
XP CD, get the full SP3 from MS, and grab nlite 1.4.9 and use it to
create an SP3 slipstreamed CD so that when you re-install XP, it'll
already be at SP3 level. It will certainly tell you if SP3
winlogon.exe is culprit when you first boot. I don't think SP3 is what
caused the issue, it may have just exposed some issue on your machine
in its current state. I have had stellar success with a new install of
XP SP3 (slipstreamed) on a new batch of 100 Optiplex 755 Dells at my
site.

- Thee Chicago Wolf

Is it true that you have to type in the Product Key after Windows is
installed?

Alias

 

[Thee Chicago Wolf]

If you really want to do a clean install, I do recommend you use your

Is it true that you have to type in the Product Key after Windows is
installed?

Alias

In my situation, I typed it in before I installed it since it was
convenient and I had it handy. It is supposed to let you input it
later but I have not tried that option so I can't confirm it works.
Sorry.

- Thee Chicago Wolf

 

[Alias]

In my situation, I typed it in before I installed it since it was
convenient and I had it handy. It is supposed to let you input it
later but I have not tried that option so I can't confirm it works.
Sorry.

- Thee Chicago Wolf

Oh, you can do it either way, then, or in theory anyway. Was there
anything else that was different than installing XP with SP2?

Alias

 

[Thee Chicago Wolf]

Oh, you can do it either way, then, or in theory anyway. Was there

anything else that was different than installing XP with SP2?

No, there was none observable visually. It did seem to install a bit
faster but this is probably relative. I should have done a timed
benchmark of SP2 v. SP3. Cheers.

- Thee Chicago Wolf

 

[Dale Chamberlain]

Yes, I was planning to slipstream an SP3 disk once I got to that point. I
haven't reinstalled XP yet. I thought I would do a bit more experimentation.

I've tried booting without loading any of the startup programs, thinking
that maybe the culprit might be there. It starts up fine, but then
winlogon.exe either gives an error message or goes into the 50% CPU loop
within 15 minutes of boot up. Wierd! And each time I have to crash the system
to shut it down. And no unusual red flags in the event log either.

I'll try to start up with only the basic stuff and see what happens.

Dale