Winlogon.exe is the process that handles and manages user logon to the Windows operating system. It handles many critical elements of the user logon process and is typically seen running at all times. It is launched early in the boot process with a parent of smss.exe.
EchoTrail Prevalence Score (EPS)


Rank Analysis
Host Prevalence


Execution Rank


Behavioral Analysis
Top Filenames
Top Paths
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
Security Analysis
While winlogon.exe is a core Windows component, it is also one of the top malware names. The legitimate winlogon.exe has the following metadata:
Image Path: %SystemRoot%\System32\winlogon.exe
Parent Process: Created by an instance of smss.exe that exits, so analysis
tools usually do not provide the parent process name.
Number of Instances: One or more
User Account: Local System
Start Time: Within seconds of boot time for the first instance (for Session 1). Start times for additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons.

Winlogon.exe is also often involved in a logon bypass technique called Sticky Keys. In this attack a Windows accessibility feature is exploited by a simple registry modification. When this key is modified a user can press shift 5 times at a logon screen and have it execute the program of their choice, typically cmd.exe. This accessibility feature is meant to bring up a window to help a user get logged in. When exploited it instead brings up a command prompt with administrative access.

In this scenario, one would see winlogon.exe launching an unusual child, such as cmd.exe. This behavior is easy to pick out with the proper tooling, as Winlogon.exe should never launch a shell like cmd.exe.