cancel
Showing results for 
Search instead for 
Did you mean: 
scottyboy235
Level 7

Excessive Winlogon Activity

I have a problem with excessive winlogon.exe activity on my PC. It started a few months ago and plenty of other people seem to be complaining of the same thing.

For example last night I ran MalwareBytes' Anti-Malware program and it took 15 hours to scan 105,000 files and it still wasn't finished. When I turned McAfee real time scanning off (after disabling web access as a security precaution) it scanned 250,000 files in less than an hour. MalwareBytes didn't flag any problems and a virus scan of the laptop is totally clean.

Looking at windows task manager reveals winlogon.exe activity is oscillating between ~2% and 60% on an almost regular basis.  During peak periods the PC is almost unresponsive.

What is going on with McAfee and how can I regain normal operating functionality of my PC?

Details of my PC:

     Windows XP SP3    

     McAfee Internet Security 11.0.578, Virus Scan 15.0.291

0 Kudos
16 Replies
scottyboy235
Level 7

Re: Excessive Winlogon Activity

..what no response to this problem even after 48Hours.....

Is this a suitable strategy for handling difficult problems caused by the anti-virus program? No wonder so many people are complaining about the issue.

I am beginning to agree with the sentiments expressed in the following thread, it  reveals a lot about the company attitude

I'm really tired of the issues - McAfee you lost a longtime customer

Link is here: https://community.mcafee.com/thread/38356?start=0&tstart=0 

Come on McAfee prove that you can support customers on this issue.

0 Kudos
Hayton
Level 18

Re: Excessive Winlogon Activity

I see you're running with Internet Security 11 on an XP machine. From all that I've seen I don't think that version sits well with XP. If it were possible, I would suggest you switch back to version 10, which I still have and which seems (overall) to give fewer problems, and see if makes a difference.

As to why Internet Security v11 is so unfriendly to XP, I don't know. It may be that with Microsoft's push to kill XP and get users onto Windows 7 (or 8) the developers aren't making too much of an effort to make the product XP-compatible, but it's more likely that it's just been optimised for the PC architecture that is required for Win7. There is a big difference between the two in terms of system requirements - if you want to see just how much, download the Windows 7 update check from Microsoft and let it scan your system. It looked at mine and basically said it's not compatible because of the underlying Intel architecture. Go onto the Intel site and browse around among the chipset specifications, and you'll see that many of the older chipsets won't be supported for Win7, let alone 8.

It may be that making the product efficient for Win7/8 makes it inherently inefficient on XP :-(

As for your complaint about not getting a reply from a McAfee person, these forums are - according to the online forum guides - customer self-help spaces. The official support channels are elsewhere. If you get help from the mods, that's not the same as official McAfee support. McAfee people keep an eye on the forums - they need to know what's going on - but they're not necessarily going to answer each and every question.

Now, back to the original question about winlogon - this is something I don't get with XP and Internet Security 10, so I can't go check it. (My problems are with mcshield, and I'm still running various tests looking for ways to minimise disruption caused by CPU spiking. They might help in cases like this, and if they do I'll pass on anything I find). But system specs could be relevant. So :

How much RAM have you got and what's your processor type and speed?

Have you got multi-threading?

Is your system 32 bit or 64?

What size is your page file?

That should give an indication of how well McAfee AV should run. The rest maybe is down to optimisation.

And the winlogon problem may have little or nothing to do with McAfee anyway. I've been on the Microsoft forums, and it seems that winlogon.exe high CPU problems began (or, rather, re-started) with a Microsoft update that went out at the beginning of July. (See this Microsoft thread, which hasn't been answered). When you Google for the problem ...

winlogon -high cpu- usage xp sp3 - Google Search.png

Message was edited by: Hayton on 09/09/11 15:50:48 IST
0 Kudos
Peacekeeper
Level 20

Re: Excessive Winlogon Activity

Re Malwarebytes is that the paid /registered version that clashes with Mcafee as both have real time scanning.

on 11/09/11 6:40:12 AM
0 Kudos
yippeekaiyay
Level 7

Re: Excessive Winlogon Activity

You might want to check out the following thread: https://community.mcafee.com/thread/36177

I've experienced increased activity with winlogon.exe that's associated with System File Check/Windows File Protection due to some issues with the 11.0 version of McAfee. I'd check your Event Viewer for any warnings just before shutdown. You said you have XP SP3 and the correct version of McAfee (11.0) to make me suspect your winlogon.exe activity is a symptom of the McAfee issue.

Winlogon.exe + Mcshield.exe picks up for me whenever MalwareBytes Anti-Malware is scanning on the session following a McAfee update that requires a restart. In addition, winlogon.exe is active following these restart updates from McAfee in the first 5 minutes that XP SP3 starts. If you happen to run Process Explorer and look at the threads running under winlogon.exe, you'll see sfc_os.dll is causing the activity. This is System File Checker/Windows File Protection. We're still waiting on what's causing McAfee to trigger the WFP warnings, but I suspect winlogon.exe is tied to this. I haven't had much luck in confirmation of the winlogon.exe activity from anyone else though sadly.

0 Kudos
Hayton
Level 18

Re: Excessive Winlogon Activity

This doesn't answer anything, but it does confirm the link between winlogon.exe and SFC/WFP issues. It's a copy of a McAfee blog that hasn't been archived, from 2007. See the article ("WFP Hack Redefined") HERE.

In it is the throwaway line

sfc_os.dll is used by winlogon process to achieve this protection.

It's just a bit of background reading, but it also confirms what Microsoft say, that WFP has been targeted by malware.

If I find anything else relevant to these threads I'll pass it on.

0 Kudos
scottyboy235
Level 7

Re: Excessive Winlogon Activity

Thanks to those who replied to my original post, it makes interesting but disappointing reading.

At least I've now got a better idea of what is going on, not that I feel anyone is going to produce a viable solution soon. Junking a £1000 XP laptop because a £22 piece of software doesn't like the operating system makes no sense.

One of the symptoms I see with this problem is web pages like this taking >4mins to load (hotmail is similar), even viewing/composing forum messages is a frustrating & arduous task. I'll monitor things as suggested.

0 Kudos
scottyboy235
Level 7

Re: Excessive Winlogon Activity

I have now taken the decision to completely remove McAfee from my XP laptop because the application will not function reliably with this operating system.

Even tweaking the system settings proves fruitless -> still left with extremely sluggish performance resulting in poor/flaky web access, unresponsive to keyboard or mouse commands....the list goes on and on. In fact all the hallmarks of a 'denial of service' type virus.

Disabling McAfee gives an incredible performance boost but leaves the system wide open to a genuine virus attack.

So what exactly are McAfee charging me for - the privellage of running flaky software on an operating system and NOT informing anyone about it or attempting to fix it. Offical support channels are not  much help, all they want to do is take the PC over and do a complete reinstall. Thanks but no thanks, the application appears to have a fundamental flaw so applying a sticking plaster solution is not the answer.

Kaspersky anti-virus 2012 is now on my laptop and it does everything McAfee is unable to do. A complete scan takes less than 8 hours - no faults found. It also happily co-exists with MalwareBytes program and laptop remains useable/web access unaffected - good stuff.

If anyone asks me about McAfee I will point them in the direction of threads like these - they tell you the real story of what is going on.

0 Kudos
jrbarrie1
Level 7

Re: Excessive Winlogon Activity

I, too have experienced excessive winlogon.exe memory usage in Task Manager within the past 10 days. After 24 hours of booting up winlogon.exe will quickly expand to around 1.3 gb. Yes, I've run various anti-spyware software, virus scans (by Norton, too), have checked the registry entry, have verified the file is only under system32, etc. etc.

This link also finds users pointing the finger of blame squarely at a McAfee upgrade - <http://answers.microsoft.com/en-us/windows/forum/windows_xp-performance/winlogonexe-memory-leak-and-...>.

PLEASE MCAFEE REPAIR THIS ERROR ASAP!

0 Kudos
Dinz
Level 16

Re: Excessive Winlogon Activity

As we know Winlogon is that  Microsoft component used in Windows operating systems responsible for handling  loading the user profile on logon, and optionally locking the computer when a screen saver is running etc. Moreover , Im just curios to know if we could overcome this with the  existence of only one antivirus software that is loaded in the OS.

scottyboy235/jrbarrie1  can you try to uninstall the other antivirus software from the PC and let us know if you still experience this issue , provided please get back if you did already try this step !

0 Kudos