none
Winlogon.exe

    Question

  •  

    Hi folks, I've been googling some information on programs as reported running in Task Manager. A few different sites have mentioned that winlogon.exe could be trojan.

     

    My version is located in the System32 folder and is 507,904 bytes large, File date as created is 08-04-04 and most recent version date is 04-14-08. Version number is 5.1.2600.5512.

     

    Now, some sites have said that's ok, but that it only runs for a minute or so and then drops off. I've noticed that this program is constantly running in the task manager and am wondering what's going on.

     

    Should this program run constantly?

     

    Any info provided is appreciated.

     

    TIA, Bob

    Wednesday, August 27, 2008 11:20 PM

All replies

  • Hi Bob,

     

    My version of winlogon.exe is the same size and version number.  I've checked it with the latest updates of Windows Defender and AVG 8 Free, nothing detected so I presume it's OK.  My query about this file is, why is it not digitally signed?  Surely the fact that the file name is used for trojans is a very good reason to make sure it is digitally signed by Microsoft!  (My version was flagged as not digitally signed when I checked it using sigverif.exe).

     

    Does anyone have a digitally signed version of winlogon.exe for XP SP3? 

     

    Rich

    Wednesday, September 10, 2008 10:45 AM
  • All Microsoft .exe and .dll files are digitally signed in the system catalogues.  You can check the signature(s) of the entire system with "sigverif".  You can check the signature of a single file with sigcheck.exe, available from the SysInternals site within Microsoft.

     

    Wednesday, September 10, 2008 11:15 AM
  • Hi rdhw, that much I understood.  What I would like to know is what to do when you find a system file that apprears not to have been digitally signed.  I ran sigverif and sigcheck and both reported that C:\Windows\System32\winlogon.exe was unsigned.  Could it be that the file version is correct but the system catalog is not uptodate?

     

    Let us assume the catalog is uptodate and the file is the problem. In that case, I want to replace my unsigned winlogon.exe with a digitally signed version from Microsoft that is also the most uptodate version for XP SP3.  I wonder if there is a page (or catalog) on a Microsoft website where at least the latest version numbers for system files are listed?  Is there a place where hashes for the files are listed so I can use sigcheck to get a hash for my version of the file and check it with a list of hashes on a website? 

     

    If I do try to replace the file manually, I know that original system files (such as winlogon.exe) are in the i386 folder on the XP install CD, and in .msi files for service packs.  The WFP (Windows File Protection) won't let you overwrite sytem files but I think you can still overwrite system files in Safe Mode though.  In all this I am presuming that winlogon.exe is a system file protected by WFP as it is found in C:\Windows\System32\  folder.

    Wednesday, September 10, 2008 1:45 PM
  •  Rich Gillis wrote:
    What I would like to know is what to do when you find a system file that apprears not to have been digitally signed.  I ran sigverif and sigcheck and both reported that C:\Windows\System32\winlogon.exe was unsigned.

    That is deeply suspicious, and might indicate that malware has altered the file.

     

    For SP3, the latest version of winlogon.exe is version 5.1.2600.5512, dated 03:07 14 April 2008 (exact time depends on your time-zone).

    Let us assume the catalog is uptodate and the file is the problem. In that case, I want to replace my unsigned winlogon.exe with a digitally signed version from Microsoft that is also the most uptodate version for XP SP3.

    You can copy the original SP3 version back into service:

     

    copy  c:\windows\ServicePackFiles\i386\winlogon.exe  c:\windows\system32\winlogon.exe

     

    You might need to do that in Safe Mode.  Don't fetch old versions off CDs.

    Wednesday, September 10, 2008 5:01 PM
  • That is deeply suspicious, and might indicate that malware has altered the file.

     

    I think you were correct there Robin.  The version in my System32 folder was dated August 15 2008.  As you said, I did have the correct signed version in my ServicePackFiles/i386 folder.  I couldn't even do the copy in Safe Mode as the winlogon process can't be terminated.  Instead I installed Windows Recovery Console from the XP CD, booted to that, and executed the copy from there.  It worked and after rebooting, sigverif no longer reports the file as unsigned.  Thanks for your help!

     

    Rich

    Wednesday, September 10, 2008 5:32 PM