CROSS-POST - winlogon.exe consuming 50% CPU time

  • Thread starter Thread starter Mike in Nebraska
  • Start date Start date
M

Mike in Nebraska

[also posted on microsoft.public.windowsxp.security_admin]
Running WinXP Pro SP3.
========
I did some checking yesterday to see why my PC was "slow" and found that
this process was using !50% of the CPU time. Did a reboot, same thing.
Googles it and saw I might have malware so I ran Symantec AV, Windows
Defender in full scan, Sysinternal's Rootkit Revealer, and Windows Malicious
Software Removal. They found nothing.

I ran Sysinternal's Process Explorer and found the following:

winlogon.exe >> Properties >> Threads
TID 3108 consumes ~52% of CPU time and CSwitch Delta is ~160, and Start
Address is winlogon.exe+0x39156, and Context Switches is ~68,000.

The total thread count for this process is 22.

I've gone through msconfig to pare down what auto-starts with the same
results.

What else should I check?
 
From: "Mike in Nebraska" <[email protected]>

| [also posted on microsoft.public.windowsxp.security_admin]
| Running WinXP Pro SP3.
| ========
| I did some checking yesterday to see why my PC was "slow" and found that
| this process was using !50% of the CPU time. Did a reboot, same thing.
| Googles it and saw I might have malware so I ran Symantec AV, Windows
| Defender in full scan, Sysinternal's Rootkit Revealer, and Windows Malicious
| Software Removal. They found nothing.
|
| I ran Sysinternal's Process Explorer and found the following:
|
| winlogon.exe >> Properties >> Threads
| TID 3108 consumes ~52% of CPU time and CSwitch Delta is ~160, and Start
| Address is winlogon.exe+0x39156, and Context Switches is ~68,000.
|
| The total thread count for this process is 22.
|
| I've gone through msconfig to pare down what auto-starts with the same
| results.
|
| What else should I check?
|


Actullay you Multi-Posted not Cross-Posted.

Process Explorer shows the fully qualified path to the running process.

What is the fully qualified path to winlogon.exe ?
 
Sorry to reply so late ...... the path to the file is:
C:\WINDOWS\system32\winlogon.exe

Mike
 
From: "Mike in Nebraska" <[email protected]>

| Sorry to reply so late ...... the path to the file is:
| C:\WINDOWS\system32\winlogon.exe
|
| Mike
|


That's the legitimate file. The question is are there hooks in Winlogon that is causing a
higher CPU utilization.

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Save a log and open it in Notepad.

Find the lines that start with "O20 - Winlogon ..."
Copy and paste ONLY those lines in your reply.
 
Did as suggested but no entries of "O20 Winlogon" were in the log file.

Mike
 
From: "Mike in Nebraska" <[email protected]>

| Did as suggested but no entries of "O20 Winlogon" were in the log file.
|
| Mike


Thank you.
I am at a loss of why you have high utilization :-(
 
Well, maybe it's not all a loss of time. It would appear not to be malware.
 
Back
Top