Hey guys, revently I have encountered the following app alerting my firewall to its precence- winlogon.exe
I'm a bit concerned it might be something untoward.
Anybody know what this is for and why some programs are asking for access to it and/or for it to access the internet? My firewall picked it up trying to access the net, so I denied it access as its never asked before.
Programs which have since activated an associated firewall warning with this app:
- messenger
- sniper elite (game)

Up to date virus scan with nortonAV 2005, spybot, adaware etc everything checks out fine. I've done some checking on the net and it would appear that this is a legitimate part of windows operation:
The Windows Logon Process is responsible for managing user logon and logoff, and checks the Windows XP activation code. Must be in system32 folder
Suspicion should only arise if the following occurs:
WINLOGON is the windows compenent, winlogin.exe is not. The below link is what I used to fix it...my firewall caught it trying to connect to the internet, if it cant it seems harmless. A well problem solved for me. See also: Link (http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html)

I've searched my HD and this app only occurs in the system32 folder (legitimate windows app location?) and nowhere else.
Anybody know anything more about this?

some quotes about it I have found...

As said by others, this process is responsible for managing user logon and logoff, both in Windows 2000 and Windows XP. It is perfectly normal and safe, AS LONG ASIT'S IN THE SYSTEM32 FOLDER! If it's running from anywhere else, it's a FAKE - some malware often names itself as a trusted program, only in another directory.


I have seen one instance where winlogin.exe (as opposed to winlogon.exe) keeps getting re-entered in the HKLM\...\run\ regkey. As far as I can tell, winlogon.exe is good, winlogin.exe is bad.


This is a standard for NT machines , can be found in NT/2000/XP but not in windows 98/95/ME, however from what i have experieneced is that there is a Virus CLONE of this and obviously needs to be gone, if you are using 95/98/me and there is a winlogon.exe (or similar) then kill it, you dont need it, NT/2000/XP users will have to look closely at the filename if its Winlogon.exe then its ok if its WinIogon.exe (with Capital i) kill it, or if its Winlogin.exe (notice the change from logon to login) then kill it. but do use extreme caution as you could lock yourself out,if you delete the wrong one


This thing may or may not be the real deal, since on my machine, it shows up as file location \??\C:\WINDOWS\system32\winlogon.exe. When I "Remove" the app, the whole computer just shuts off, and I get a BSD (Blue Screen of Death). This is very odd on a Windows XP machine. In fact this may be the first BSD I have ever seen on XP!


This last post here seems a very very likley result of removing a critical system file. :)...

Nortons web site seems to indicate some nasty imposters...with one possible variant of W32.Netsky@mm worm...
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html

but from what you say ya sound like ur ok...dog gone computer hackers...I hate em too.Stay Viligant!...but I don't know why it would want to connect to the net dat is suspicious.

If you suspects that the file is infected:

get the file from a trusted location and boot to cmd prompt and overwrite the file.

You have to keep in mind that even the file is in the location where windows wants it to be, it can still be a hacked file.
even that the file can not be overwritten while windows is running the malicious file could have been in c:\system restore, untill you rebooted.


What you are seeing is probably a legit check, while you have windows automatic update runing, XP will validate your key before it checks/download updates, as stolen keys are now only allowed to get critical updates. No harm in that, however it could be someone trying to access your system remotely as a user.
If you still have your firewall log post the IP address that the file was trying to establish a connection to. If you dont want to post other people(s) IPs here send me a PM. (Posting other peoples IPs in public is a violation of Internet Privacy, and it is illegal).

Thanks guys, I've run a few more AV checks and stuff like that and everything seems to be in order.
I guess if there's any future doubt over this my yearly/6monthly (ish) format of my C drive will take care of any dodgyness.