Windows Legacy OS forum

General discussion

Winlogon.exe i need it back

by boyasian / January 17, 2006 1:52 AM PST

hi, when i was scannin my computer i accidently deleteed winlogon. for my windows xp and now everytime i start the computer it says winlogo cannot be found where can i download it sincei dont have windows xp home cd rom and my morephues wont start now...can anyone help?

Discussion is locked
You are posting a reply to: Winlogon.exe i need it back
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Winlogon.exe i need it back
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Do you want it back? (trojan?)
by R. Proffitt Forum moderator / January 17, 2006 2:27 AM PST
Collapse -
Use The System Restore Function With XP
by Harry_Johnson / January 17, 2006 3:06 AM PST

Since you are running Windows XP, just use the System Restore feature and that will fix your problem. If you don't know how to do this, click start>accessories>system tools>system restore. Once you get here there will two options which are 1.) To restore your OS to an earlier date 2.) Create a Restore point. Select option 1; after you select option 1 it will ask you select a bold date from the calender, so just pick the date you wish to restore your computer from. However, Be warned, whatever you have created or any software that has been installed maybe lost. So just be careful of your time of restoration (Depending on what restore point you choose). From my experience however, a system restore does not effect data files, but it will effect certain software programs, which may need to be reinstalled. The system restore should give back your winlogon.exe that you lost.

Collapse -
I advise against this. If winlogon was really missing...
by R. Proffitt Forum moderator / January 17, 2006 3:08 AM PST

The system would not operate.

System Restore if successful could restore the trojan.

Bob

Collapse -
nothing works ..system restore didnt work it still pops up
by boyasian / January 17, 2006 3:32 AM PST

it still pops up saying its not able to find the location and i think i delted it so how do i get it back i treid system restore...?

Collapse -
DO NOT PUT IT BACK!
by R. Proffitt Forum moderator / January 17, 2006 3:39 AM PST

The trojan drops a "run" entry in the registry.

Please read the link I supplied.

Bob

Collapse -
Fix The Malware Entry In The Registry
by Grif Thomas Forum moderator / January 17, 2006 3:59 AM PST

Per the link Bob provided earlier:
__________________________

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:
"Windows Logon Application"="%Windir%\winlogon.exe"

Exit the Registry Editor.
_______________________

HOpe this helps.

Grif

Collapse -
hey
by boyasian / January 17, 2006 6:37 AM PST

hey i tried doing whwat symantec site did and i went and checked many times but the winlogon wasnt there it was probably already deleted what do i do now?

Collapse -
winlogon
by rob.linuxsympatico.ca / January 17, 2006 7:47 AM PST
In reply to: hey

Sounds like your problem is solved...did you read any of those posts ???

the thing you want is a TROJAN !!! trojan is a bad thing...you don't want it back

Rob

Collapse -
There is winLogon......
by Papa Echo / January 17, 2006 8:50 AM PST
In reply to: hey

winlogon can be a legitimate Windows process. What Torgans do is to drop a similar named file. Try a Google for winlogon for more information.

Collapse -
..and Winlogon...winlogon...
by Papa Echo / January 17, 2006 8:58 AM PST

...better results if you put in winlogon+trojan

Collapse -
Why it's some minor damage now.
by R. Proffitt Forum moderator / January 17, 2006 9:00 AM PST

If it was the Windows' Logon program, you would not able to get onto the machine. Please do not replace the trojan file.

Bob

Collapse -
True....
by Papa Echo / January 17, 2006 11:35 AM PST

...and the system would not allow it to be removed from startup processes, because "it is needed".

Collapse -
Boyasian, If The Error Is Still There. Other Places To Look
by Grif Thomas Forum moderator / January 18, 2006 5:30 AM PST
In reply to: hey

If you checked the specific registry location previously mentioned, then there is still a start up "call" from the registry occuring..Check these other paths in the registry:

(Remember...You're looking for the ""Windows Logon Application"="%Windir%\winlogon.exe"" or similar, in the right pane of the registry keys listed below. If it's not there, then move to the next location.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices

These are the most commonly used registry startup locations for the variety of trojans and malware that use this file name.

Hope this helps.

Grif

Collapse -
RE:Winlogon
by LimitlessVelocity / January 18, 2006 10:39 AM PST

Winlogon is the exe that as far as I know carries out 2 critical functions. 1st your start up/system processes and secondly Windows Product Activation. However you can get into windows without winlogon in Safe Mode. If you replace the Winlogon file you can do it from ANY XP computer its just that your activation will be undone. I would reccomend this :

1. Get Winlogon.exe from any XP system you have in reach. Its like 400 kb so no issues. Even a Floppy would work

2. Boot up in Safe Mode, access System32 and dump the file there.

3. Boot windows in normal mode...Your activation should be disabled. Use your Product Activation Key that I assume you have on that sticker.

4. If that doesnt work call Microsoft and do it officially.

I had a very similar problem once....Thats how I got through it...Good luck

Collapse -
Limitless, This One's A Virus...
by Grif Thomas Forum moderator / January 18, 2006 1:05 PM PST
In reply to: RE:Winlogon

Although there is a "good" Winlogon.exe that provides the services that you have mentioned. On Windows XP, the "good" version resides in the C\Windows\System32 folder. There are also a number of malware versions with the same file name and they will reside in other directories such as the C\Windows, etc. Please view the links below for just a few of such "bad" versions of that file:

http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.a@mm.html

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.html

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.dsklite.html

In this particular case, because the file was deleted as a virus and because the user CAN STILL LOGON, then the "good" file is still there and a malware version was removed..Unfortunately, the registry call is still coming up as an error.

Hope this helps.

Grif

Collapse -
Winlogon 50% CPU fixed (if you can't find Virus)
by austinlcherry / August 10, 2007 7:39 AM PDT

I know this thread is old, but I wasn't able to find the solution anywhere, I happened acrossed it when I noticed that in the window registry
under the key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

There was WgaLogon that was not on another computer. I think that this program was "stuck" and that is why the winlogon.exe was running at 50% CPU. Under my key I have the following Keys only now:
avldr
crypt32chain
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballon

Once I removed WgaLogon everything went back to normal. I think it was just a botched install of Windows Genuine Advantage. Or maybe our firewall is preventing this traffic from happening, so it keeps trying to send Data to Microsoft, thus the 50% CPU. I hope this helps someone, because My issue was definately not a virus.
-Austin

Collapse -
mdm.exe is another possible cause
by Nosteralien / August 9, 2010 2:41 AM PDT

The solutions reported above didnt work for me.

I solved the problem closing the "mdm.exe" program by pressing control+alt+del.

It can interfere on winlogon.exe.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?