RE Pc what are the specs? Especially what is the cpu?
That said the issue I was thinking about causing high cpu use but for mcshield not winlogon
Not to do with Media player sharing?
You have not another Anti virus installed or paid version of Malwarebytres scanning at the same time?
Also do a scan with some of the following
Dell Inspiron T1350 @1.86Ghz, 1GB Ram
Looked at the link to media player sharing but McSvcHost isn't running at high CPU. Monitored it for a few minutes and it would pop up every 20 seconds or so with 02 CPU use. Also, the link mentioned Windows 7. I'm thinking its not related.
No other anti-virus installed. Running an unpaid version of Malwarebytes but not automatically. I manually initiate it about once a week.
Should have mentioned that both Malwarebytes and McAfee come up clean after scanning.
I'll check the other tools you mentioned and report back separately.
Lets us see what they say and I will ask the techs when we talk Tuesday Morning our time.
Just a couple of thoughts about this. Winlogon seems to be responsible for monitoring system files if the threads I see in the Process Explorer process window are anything to go by. If you haven't got Process Explorer you might find it useful in isolating whatever's goin on - downloadable from Microsoft (here).
If there's a problem with system files you might want to run sfc /scannow in a command window to make sure the files are all okay.
Second thought is that 1Gb of RAM just isn't enough for McAfee. Sorry, but that's undoubtedly true. On my XP box everything struggled with 1Gb, and there's going to be a lot of swapping in and out of memory, which means masses of disk access and page faults. I found 1.5Gb to be just about sufficient, but could really have done with 2 or even 3Gb. Same probably goes for your XP machine.
Second what Peter said process explorer will tell you what winlogon is actually doing.
Thank you both for your suggestions. Here are the results (so far):
1) Ran RootKitRemover - it found nothing
2) Ran Stinger - it found nothing
3) Downloaded Process Explorer - installed and ran it. I can tell you a lot of things, but I really have no idea what I'm looking at. In the DLLs view, there were a lot of items that came up green, then red, then green, then red and finally they were permanently listed and no more light show. :-) There were 4 relocated DLLs. In the Threads view, there were only a couple of items than did the red/green thing. I read the help and I can operate it, but I don't know what it means. Perhaps if you have a couple of specific questions I'll be more help reporting back on this tool? While playing with the tool Winlogon took off is is now hogging upwards of 99% of the CPU making this a challenging communication to write. I disabled auto scanning on McAfee after rebooting and it went away.
4) Interestingly, I can't do a system restore through the Start menu. I tried yesterday and it only let me look at Dec 1st. Today I can only look at Dec 2nd. I'll try the other suggestions as soon as I get a little control back. I booted in Safe Mode with Networking and was still unable to go back to November. Just tried the Help & Support/Undo changes and it didn't work. The restore/rstrui on the command line does the same. I know I looked at November's restore points sometime around the 18th and it was working ok then.
5) Ran sfc /scannow - as soon as it started winlogon went up to 99% CPU usage. As soon as this utility finished running (and reported nothing), it went away.
6) Am I just imaging this or does winlogon not like the attention it is getting? This is looking more and more like a virus, don't you think?
PS: Oh, and in my spare time I make sushi and enchiladas. LOL
In Process Explorer just double-click a running process to get its Properties window - see below.
Yes this could be malware but it doesn't have to be. One thing you haven't told us is which McAfee program you've got (Internet Security? AntiVirus?) and what version. This might be relevant because there are threads here from a while back about this problem and the version - back then - played a part. There are also threads on the Microsoft forums about this issue. All seem to be limited to older machines running XP with McAfee installed
See also - perhaps especially -
where continuous winlogon cpu activity was associated with a lot of strange child processes under winlogon. This thread has contributions from a Microsoft MVP, and recommends the use of Process Explorer as a first step. There are links to other websites if you want to run HijackThis and post the logs in a specialist forum. The thread is an old one but the basic advice is good and the links are useful.
I have to say you're certainly not alone in seeing this : there are hundreds of posts to different tech forums. Trying to find a common denominator isn't easy. One thing you should do (and most of the threads say this) is look in the XP Event Logs for recurrent error messages.
First though, what processes are running under winlogon in ProcExp?
I'm running McAfee Security Center 11.6, build 11.6.435, Affld 105-72
Virus Scan 15.6, build 15.6.231, dat version 6912, boot Dat version: 6908.000
Personal Firewall 12.6, build 12.6.186
Anti-Spam 12.6, build 12.6.144
Here's the performance graph from the Properties Window with AutoScan on:
And here is a sample of some of the DLL's that go from green to red.
Last, I looked at the Event Viewer and there are some errors and warnings among all of the information items. Is there anything in particular that I should pay attention to? There's a lot of stuff there and I don't know what it all means. No winlogon specific messages.
Sandra were you intending to post some graphs?