Windows Logon application, also known as winlogon.exe is the internal process in Windows, one of dozens which are present in the latest versions of OS by Microsoft. Sometimes, such viruses as trojan-miners mimic this process. In this post, you will see how to distinguish a malicious counterfeit from a legitimate process, and also the detailed information about its purpose.
About Windows Logon app (winlogon.exe) purpose
Winlogon.exe process is an important internal app that is responsible for a wide variety of functions. First implementation of Windows Logon was present in the operating system since Windows 2000. As the time passed, its functions became more wide. Nowadays, this process is needed to perform the following system functions:1
Can I disable winlogon.exe?
All these functions are vital for Windows to operate properly. The suspending of Windows Logon will lead to a system crash, and you will not be able to make a step backwards – Ctrl+Alt+Del combination is not working since the winlogon process is not running. The only way to bring the system back to life is to reboot the PC, but the Windows Logon will be running, again. It has a very close relations with crss.exe – another process of Windows. Moreover, you are not allowed to stop this process, because it belongs to the deep system processes. If you still want to do this action, you need to have a SE_DEBUG privilege on your account, otherwise your attempt will be canceled with a sign “Not enough rights for managing the system components”.
The times when Windows processes may be disabled to increase the system performance have passed long ago. When Windows XP was the last actual OS version, computers were quite weak, and their upgrade was quite expensive, disabling several services could really make your PC faster without any significant problems. Nowadays, such tricks can make things even worse.
Can the Windows Logon process be malicious?
All legitimate system processes are listed in the Windows Processes category in Task Manager. If you see a duplicate of the process from Windows processes in the list of background processes, it may be a malware. To check out the program the process belongs to, click it with a right mouse button, and choose the “Open file location” option.
If this file is stored somewhere in the Windows/System32 folder, it is 100% legit. Don’t be scared with a massive number of processes in the background – the majority of them are needed to decrease the time of programs opening.
However, if this process is located among the users processes and “Open file location” leads to the unknown directory, it is recommended to check your PC with antimalware software. My choice for this case is GridinSoft Anti-Malware.
Removing the viruses with GridinSoft Anti-Malware
Frequently Asked Questions
No. In case if the process belongs to the legitimate system element, you will not be able to edit the root directory of the system, where it is stored, without granting yourself permission for this action. And its deletion will surely lead to a system crash without a possibility of loading the system back, because the crucial component is absent.
Winlogon.exe consumes literally nothing, so you will likely see no occasions when there is a need to make it less greedy with resources. However, if you see that it takes more than 20-30% of your CPU and the same amount of RAM, it is likely a virus. Perform the guide I wrote above.
As it was mentioned in the previous question, the CPU/RAM consumption of the original process is very low. So, the winlogon.exe that uses a lot of hardware capacity is definitely a virus. Another way to understand that this process belongs to a malicious program is its location inside of the Task Manager. System processes are listed in the corresponding thread, so the Windows Logon application among the user’s background processes is a sign of malware presence.
User Review( votes)
- The full article about winlogon.exe on Wikipedia