1 2 3 Previous Next 22 Replies Latest reply on Dec 2, 2012 6:51 PM by Hayton

    New Winlogon Problem? Too active, too much cpu, slows computer

      My computer started running slowly in the last couple of weeks.  I noticed that winlogon is now running in the top 5 of my programs all the time (CPU usage ranging from 4 to 80%), size 50Kb give or take.  I watch my processes fairly often so this is a new development.   After googling for some answers I came across discussions about a similar problem in 2011 when Windows 7 was released.  McAfee subsequently issued an update.  Now, Windows 8 was just released.  Could the same problem be cropping up again.  I took the suggestion from the other discussions to deactivate real-time scanning and "lo and behold", winlogon stopped running every 15 seconds and my programs now run they way they should.  Anyone experience the same thing or have any thoughts on this?  I'm running Windows XP professional, SP3.

       

      And yes, I just bought a new computer with Windows 7 because this one is about 6 years old.  Well, and some other reasons too.  But I've got an incredible amount of stuff on this one and I'm not willing to give it up yet.  I'm serious about virus protection but live in a 3rd (probably 4th by a lot of standards) country with extremely slow VSAT based internet and I really really don't have a lot of patience when the basic programs on my computer slow down too.  Hence my request for information.

       

      Thanks all!

       

      Sandra

        • 1. Re: New Winlogon Problem? Too active, too much cpu, slows computer
          Peacekeeper

          RE Pc what are the specs? Especially what is the cpu?

           

          That said the issue I was thinking about causing high cpu use but for mcshield not winlogon

           

          Not to do with Media player sharing?

          https://community.mcafee.com/message/128699#128699

           

          You have not another Anti virus installed or paid version of Malwarebytres scanning at the same time?

           

          Also do a scan with some of the following

          McAfee Communities: Anti-Spyware, Malware & Hijacker Tools

          • 2. Re: New Winlogon Problem? Too active, too much cpu, slows computer

            Hi Tony,

             

            Dell Inspiron T1350 @1.86Ghz, 1GB Ram

             

            Looked at the link to media player sharing but McSvcHost isn't running at high CPU.  Monitored it for a few minutes and it would pop up every 20 seconds or so with 02 CPU use.  Also, the link mentioned Windows 7.  I'm thinking its not related.

             

            No other anti-virus installed.  Running an unpaid version of Malwarebytes but not automatically.  I manually initiate it about once a week.

             

            Should have mentioned that both Malwarebytes and McAfee come up clean after scanning.

             

            I'll check the other tools you mentioned and report back separately.

             

            Thank you!

            Sandra

            • 3. Re: New Winlogon Problem? Too active, too much cpu, slows computer
              Peacekeeper

              Lets us see what they say and I will ask the techs when we talk Tuesday Morning our time.

              • 4. Re: New Winlogon Problem? Too active, too much cpu, slows computer
                Hayton

                Just a couple of thoughts about this. Winlogon seems to be responsible for monitoring system files if the threads I see in the Process Explorer process window are anything to go by. If you haven't got Process Explorer you might find it useful in isolating whatever's goin on - downloadable from Microsoft (here).

                 

                If there's a problem with system files you might want to run sfc /scannow in a command window to make sure the files are all okay.

                 

                Second thought is that 1Gb of RAM just isn't enough for McAfee. Sorry, but that's undoubtedly true. On my XP box everything struggled with 1Gb, and there's going to be a lot of swapping in and out of memory, which means masses of disk access and page faults. I found 1.5Gb to be just about sufficient, but could really have done with 2 or even 3Gb. Same probably goes for your XP machine.

                • 5. Re: New Winlogon Problem? Too active, too much cpu, slows computer
                  Peacekeeper

                  Second what Peter said process explorer will tell you what winlogon is actually doing.

                  • 6. Re: New Winlogon Problem? Too active, too much cpu, slows computer

                    Thank you both for your suggestions. Here are the results (so far):

                     

                    1) Ran RootKitRemover - it found nothing

                    2) Ran Stinger - it found nothing

                    3) Downloaded Process Explorer - installed and ran it.  I can tell you a lot of things, but I really have no idea what I'm looking at.  In the DLLs view, there were a lot of items that came up green, then red, then green, then red and finally they were permanently listed and no more light show.  :-)  There were 4 relocated DLLs. In the Threads view, there were only a couple of items than did the red/green thing.  I read the help and I can operate it, but I don't know what it means.  Perhaps if you have a couple of specific questions I'll be more help reporting back on this tool?  While playing with the tool Winlogon took off is is now hogging upwards of 99% of the CPU making this a challenging communication to write.  I disabled auto scanning on McAfee after rebooting and it went away.

                    4) Interestingly, I can't do a system restore through the Start menu.  I tried yesterday and it only let me look at Dec 1st.  Today I can only look at Dec 2nd.  I'll try the other suggestions as soon as I get a little control back.  I booted in Safe Mode with Networking and was still unable to go back to November.  Just tried the Help & Support/Undo changes and it didn't work.  The restore/rstrui on the command line does the same.  I know I looked at November's restore points sometime around the 18th and it was working ok then.

                    5) Ran sfc /scannow - as soon as it started winlogon went up to 99% CPU usage.  As soon as this utility finished running (and reported nothing), it went away. 

                    6) Am I just imaging this or does winlogon not like the attention it is getting?  This is looking more and more like a virus, don't you think?

                     

                     

                    PS:  Oh, and in my spare time I make sushi and enchiladas.  LOL

                    • 7. Re: New Winlogon Problem? Too active, too much cpu, slows computer
                      Hayton

                      In Process Explorer just double-click a running process to get its Properties window - see below.

                       

                      Yes this could be malware but it doesn't have to be. One thing you haven't told us is which McAfee program you've got (Internet Security? AntiVirus?) and what version. This might be relevant because there are threads here from a while back about this problem and the version - back then - played a part. There are also threads on the Microsoft forums about this issue. All seem to be limited to older machines running XP with McAfee installed

                       

                      See

                      https://community.mcafee.com/thread/38735?start=10&tstart=0

                      https://answers.microsoft.com/en-us/windows/forum/windows_xp-performance/winlogo nexe-memory-leak-and-high-cpu-usage/b3e64e6b-e304-449a-9d5b-a86d3b146ae1

                       

                      See also - perhaps especially -

                      http://www.xpheads.com/forums/microsoft-public-windowsxp-general/68745-winlogon- exe-consumes-50-cpu-after-xp-pro-sp3-update.html

                      where continuous winlogon cpu activity was associated with a lot of strange child processes under winlogon. This thread has contributions from a Microsoft MVP, and recommends the use of Process Explorer as a first step. There are links to other websites if you want to run HijackThis and post the logs in a specialist forum. The thread is an old one but the basic advice is good and the links are useful.

                       

                      I have to say you're certainly not alone in seeing this : there are hundreds of posts to different tech forums. Trying to find a common denominator isn't easy. One thing you should do (and most of the threads say this) is look in the XP Event Logs for recurrent error messages.

                       

                      First though, what processes are running under winlogon in ProcExp?

                       

                      ProcExp winlogon.JPG

                      • 8. Re: New Winlogon Problem? Too active, too much cpu, slows computer

                        Hi again,

                        I'm running McAfee Security Center 11.6, build 11.6.435, Affld 105-72

                        Virus Scan 15.6, build 15.6.231, dat version 6912, boot Dat version:  6908.000

                        Personal Firewall 12.6, build 12.6.186

                        Anti-Spam 12.6, build 12.6.144

                         

                        Here's the performance graph from the Properties Window with AutoScan on:

                         

                         

                        And here is a sample of some of the DLL's that go from green to red.

                         

                         

                        Last, I looked at the Event Viewer and there are some errors and warnings among all of the information items.  Is there anything in particular that I should pay attention to?  There's a lot of stuff there and I don't know what it all means.  No winlogon specific messages.

                         

                        Sandra

                        • 9. Re: New Winlogon Problem? Too active, too much cpu, slows computer
                          Peacekeeper

                          Sandra were you intending to post some graphs?

                          1 2 3 Previous Next