winlogon.exe - Windows Login/Logout Subsystem
The winlogon.exe process is a component of the Microsoft Windows login/logout management subsystem. It's responsible for checking user authorization during login, and also for checking the Windows activation code in XP and Vista. During logout, it removes active credentials and may also perform other tasks such as process rundown. This is a critical component of the OS, and should not be altered or modified in any way.The winlogon.exe file is only found in the Windows NT/2000/XP/Vista line of OS releases. Earlier versions of Windows, such as 95 and 98, did not include this file since they used a different authentication management scheme. The legitimate copy of winlogon.exe is found in the system32 directory, e.g. C:\windows\system32. It is possible for more than one legitimate winlogon.exe process to be present on a given system simultaneously.
Known malware applications have attempted to masquerade as winlogon.exe in order to evade detection. In one case, a file called "winIogin.exe" (note the uppercase "I") was used since most users would not notice the difference between the "I" and "l." This is a common trick when attempting to conceal malware from virus scanners.
Some viruses that have been reported under the winlogon.exe name include WinlogonHack.A, W32/Patchlog.B, and W32/Backdoor though this file is apparently quite popular as a virus vector. While the presence of multiple winlogon.exe processes is normal, an unusual number of these processes consuming large amounts of CPU or memory should be taken as a sign to run a full virus/spyware scan on the PC.
As always, if you suspect a malware infestation you should download and run a current copy of an antivirus/malware scanner in order to isolate and remove the offending application. Be sure to obtain the most recent definition files, since these are critical to the removal of current malware variants.
windowshelp.net