EchoTrail

winlogon.exe

Author: Microsoft

Source: Wild

Summary

Winlogon.exe is the process that handles and manages user logon to the Windows operating system. It handles many critical elements of the user logon process and is typically seen running at all times. It is launched early in the boot process with a parent of smss.exe.

EchoTrail Prevalence Score (EPS)

94.06

Rank Analysis

Host Prevalence

91.8%

Execution Rank

306th

Behavioral Analysis

Top Hashes

b9699fd59457dbfdf4011a4a09b748c6d3d01d3780f9ec5245af652ab9936425

15.68 %

Top Paths

C:\Windows\System32

99.91 %

Top Network Ports

No results found.

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

While winlogon.exe is a core Windows component, it is also one of the top malware names. The legitimate winlogon.exe has the following metadata: Image Path: %SystemRoot%\System32\winlogon.exe Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name. Number of Instances: One or more User Account: Local System Start Time: Within seconds of boot time for the first instance (for Session 1). Start times for additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons. Winlogon.exe is also often involved in a logon bypass technique called Sticky Keys. In this attack a Windows accessibility feature is exploited by a simple registry modification. When this key is modified a user can press shift 5 times at a logon screen and have it execute the program of their choice, typically cmd.exe. This accessibility feature is meant to bring up a window to help a user get logged in. When exploited it instead brings up a command prompt with administrative access. In this scenario, one would see winlogon.exe launching an unusual child, such as cmd.exe. This behavior is easy to pick out with the proper tooling, as Winlogon.exe should never launch a shell like cmd.exe.