Windows Logon application. What is the purpose of winlogon.exe in Windows?

by Wilbur Woodham
February 2, 2021

Windows Logon application, also known as winlogon.exe is the internal process in Windows, one of dozens which are present in the latest versions of OS by Microsoft. Sometimes, such viruses as trojan-miners mimic this process. In this post, you will see how to distinguish a malicious counterfeit from a legitimate process, and also the detailed information about its purpose.

About Windows Logon app (winlogon.exe) purpose

Winlogon.exe process is an important internal app that is responsible for a wide variety of functions. First implementation of Windows Logon was present in the operating system since Windows 2000. As the time passed, its functions became more wide. Nowadays, this process is needed to perform the following system functions:1

  • Logging in/out the user account;
  • Detecting the system key combinations – Ctrl+Alt+Del and Ctrl+Shift+Esc;
  • Controlling the correct loading of the user account – allowing the HKEY_CURRENT_USER registry hive to be used by applications;
  • Managing the user logging into different system-related elements, like multiple network connections;
  • Turning on the screensaver.

    • Can I disable winlogon.exe?

    All these functions are vital for Windows to operate properly. The suspending of Windows Logon will lead to a system crash, and you will not be able to make a step backwards – Ctrl+Alt+Del combination is not working since the winlogon process is not running. The only way to bring the system back to life is to reboot the PC, but the Windows Logon will be running, again. It has a very close relations with crss.exe – another process of Windows. Moreover, you are not allowed to stop this process, because it belongs to the deep system processes. If you still want to do this action, you need to have a SE_DEBUG privilege on your account, otherwise your attempt will be canceled with a sign “Not enough rights for managing the system components”.

    Winlogon suspending window

    The times when Windows processes may be disabled to increase the system performance have passed long ago. When Windows XP was the last actual OS version, computers were quite weak, and their upgrade was quite expensive, disabling several services could really make your PC faster without any significant problems. Nowadays, such tricks can make things even worse.

    Can the Windows Logon process be malicious?

    All legitimate system processes are listed in the Windows Processes category in Task Manager. If you see a duplicate of the process from Windows processes in the list of background processes, it may be a malware. To check out the program the process belongs to, click it with a right mouse button, and choose the “Open file location” option.

    winlogon.exe root directory

    The example of proper location of Windows Logon app

    If this file is stored somewhere in the Windows/System32 folder, it is 100% legit. Don’t be scared with a massive number of processes in the background – the majority of them are needed to decrease the time of programs opening.

  • Standard scan lasts up to six minutes and checks the system files together with the files of the programs you have installed on your computer.
  • When the scan is complete, press “Apply” to wipe out the malicious items that are present on your PC.

    • Frequently Asked Questions

    Can I just delete the process from the root directory?
    No. In case if the process belongs to the legitimate system element, you will not be able to edit the root directory of the system, where it is stored, without granting yourself permission for this action. And its deletion will surely lead to a system crash without a possibility of loading the system back, because the crucial component is absent.
    Is it possible to decrease the hardware consumption of this process?
    Winlogon.exe consumes literally nothing, so you will likely see no occasions when there is a need to make it less greedy with resources. However, if you see that it takes more than 20-30% of your CPU and the same amount of RAM, it is likely a virus. Perform the guide I wrote above.
    How can I know this process is malicious without checking its root directory?
    As it was mentioned in the previous question, the CPU/RAM consumption of the original process is very low. So, the winlogon.exe that uses a lot of hardware capacity is definitely a virus. Another way to understand that this process belongs to a malicious program is its location inside of the Task Manager.

    References

    1. The full article about winlogon.exe on Wikipedia

    About the author

    Wilbur Woodham

    Technical writer covering malware detections, unwanted programs, and browser-based threats. Wilbur turns research notes into step-by-step guides that Windows users can follow safely.

    View all posts

    Leave a Comment