Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Winlogon.exe and csrss.exe

  • Please log in to reply
2 replies to this topic

#1 jigsawtheone


  • Members
  • 1 posts
  • Local time:08:16 PM

Posted 14 February 2014 - 04:03 PM

So lately my laptop is running really slow at the startup and I recently noticed that in my processes there are these two with no description or user so I guess they're infected but anti-malware and avast antivirus which i have installed aren't helping so i figured out I'll just ask here.Any help would be apreciated .Thank you in advance.

Edited by hamluis, 14 February 2014 - 04:37 PM.
Moved from Win 7 to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


#2 dls62


  • Members
  • 623 posts
  • Gender:Male
  • Location:Berkshire, UK
  • Local time:07:16 PM

Posted 14 February 2014 - 04:26 PM

Right click on each of the processes in Task Manager and select Properties.

For the Location it should read 'C:\Windows\System32'. What do you have?

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,916 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:16 PM

Posted 14 February 2014 - 08:38 PM

winlogon.exe is a process belonging to the Windows login manager and part of the Windows Login subsystem. winlogon.exe is necessary for user authorization, checking the Windows XP activation code and handling interactive user logons and logoffs. Determining whether winlogon.exe is malware or a legitimate Windows process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate winlogon.exe file is located in the C:\Windows\System32 folder. If found running from a different location, it's usually indicative of malware, it's usually indicative of malware.

csrss.exe is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for managing most graphical commands in Windows, console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment. This process is important for stable and secure operation of your system and should not be terminated. The legitimate csrss.exe file is located in the C:\Windows\System32 folder but you may find legitimate copies in other folders such as:


Windows Task Manager does not provide enough information. These are tools to investigate running processes, programs that run at startup, services and gather additional information to identify them or resolve problems:
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users