Why do I have 2 winlogon.exe & 2 of csrss.exe running?


  • I know this probably is not a SP3 specific issue, but I could not find a better place to turn.
    I’ve been searching the net after an answer but all I’ve found is articles regarding malware, virus intrusion etc.. ; but, I do not think that’s the reason for me to have 2 x winlogon.exe

    My winlogon.exe is located in correct path, has correct size and date, my antivirus is up-to-date; all machines are up-to-date regarding windows update, etc, no slow reactions from any machine (yet) :-).

    Can there be any circumstances when 2x winlogon.exe & 2x csrss.exe is correct?

    This is my result:
    My SBS has 2  (Loged on with domain Admin account remotely)
    Win2003R2 has 2 (same account and remotely as above)
    My old WinXP-sp3 has 2 (remote desktop + domain admin type of user)
    Another WinXP-sp3 has 2 when domain admin is logged on remotely but only one when normal domain user is logged on remotely, and only 1 when local admin is logged on remotely.
    (yes, I’m doing a lot of remote desktop, to lacey to run around)
    Virtual WinXP has 1 (normal domain user via remote)
    Virtual server2003 has 2 (domain admin type of user)

    Do you see the pattern here?, Domain Admins type of account has 2, normal users has 1.
    I have a long history with computers but I cannot remember seeing this before…

    Am I the victim of a new secret attack not yet discovered, and still in sleeping mode or is this normal?

    Kjell Liljegren

    Sunday, August 22, 2010 10:39 PM

All replies

  • IM running windows 7 and i have 2 * csrss and its got uber antivirus etc on it. Not sure its a problem, but spyware etc are known to use this name as task manager does not let you close it as far as im aware... Anyone want to ellaborate ?
    Thursday, August 26, 2010 9:16 AM
  • The normal way for intruders and virus makers is to either use the same name and different location or almost the same name and same location, or if they are really smart, they can use the same file and extend its code.

    In my case, I only have 1 file on my system named winlogon.exe and 1 file named csrss.exe, so I'm having 2 instances loaded of the same file.

    To the best of my knowledge my files are identical with Original files from MS

    If booting up in repair mode I can replace the files with same files taken from MS resources and the system works exactly the same.

    At this point I'm pretty sure, I'm not infected,but that's about all I'm sure about... :-)

    I've also checked a few client networks and several of the servers gives same result....

    I'm also a little surprise that only one out of over 300 readers replies...... the least some MVP could do is checking their own system and give a simple comment "you are infected, that's not normal" or "hmm guess what, I also have 2 of them, strange.."




    Thursday, August 26, 2010 10:41 PM
  • I to was wondering if it is normal to have two csrss.ese processes running at the same time. I think its just how windows 7 works. When I try to check the files location for each instance of the process it takes me to the same file each time. It's a very small file and its CPU usage under task manager is zero. So I guess its just part of the OS, but seems odd that two of them are required for operation. Maybe it's like the SVCHost.exe files, as in it hosts multiple processes or functions inside one process.. I don't know, Microsoft sucks at giving real answers to common questions so I doubt we will ever know what the deal is with this concern.

    I could go out on a limb here and claim its probably some kind of tracking crap intended to give MS feedback on windows usage. If its some kind of virus or malware, they did a great job inserting it in the system.

    I hate drive by downloads!!!

    Monday, April 25, 2011 8:04 PM