Author: Microsoft
Source: Wild
Winlogon.exe is the process that handles and manages user logon to the Windows operating system. It handles many critical elements of the user logon process and is typically seen running at all times. It is launched early in the boot process with a parent of smss.exe.
EchoTrail Prevalence Score (EPS)
Rank Analysis
Host Prevalence
Execution Rank
Behavioral Analysis
Top Filenames
Top Paths
99.91 %
Top Network Ports
No results found.
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
Security Analysis
While winlogon.exe is a core Windows component, it is also one of the top malware names. The legitimate winlogon.exe has the following metadata: Image Path: %SystemRoot%\System32\winlogon.exe Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name. Number of Instances: One or more User Account: Local System Start Time: Within seconds of boot time for the first instance (for Session 1). Start times for additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons. Winlogon.exe is also often involved in a logon bypass technique called Sticky Keys. In this attack a Windows accessibility feature is exploited by a simple registry modification. When this key is modified a user can press shift 5 times at a logon screen and have it execute the program of their choice, typically cmd.exe. This accessibility feature is meant to bring up a window to help a user get logged in. When exploited it instead brings up a command prompt with administrative access. In this scenario, one would see winlogon.exe launching an unusual child, such as cmd.exe. This behavior is easy to pick out with the proper tooling, as Winlogon.exe should never launch a shell like cmd.exe.