P
Phillip Pi
Guest
Hello.
I have a strange rare and annoying Windows XP Pro. SP2 (IE6.0 SP2; all
critical updates and optional softwares for SP2) issue that had been
around for three years or so, and I can't figure out what's going on.
Once in a while (very rare -- maybe once every one/two months?), I
winlogon.exe decides to go nuts and take one of my CPU (have a dual core
Intel P4 Prescott machine). From there, softwares don't respond and some
can't be shut down (e.g., SeaMonkey.exe, Trillian.exe, Outlook.exe) even
if I force end task. When I try to shut down Windows to reboot, it gets
stuck forever and I need to do a force shut down on the power switch on
the Dell Optiplex GX280 case.
I tried viewing Process Explorer, Process Monitor, event logs, services
via cmd.exe (administrative method freezes/doesn't respond), etc. and
found nothing interesting. Here are the Process Explorer exports:
From Process Explorer v11.20:
Process PID Description CPU Company Name
System Idle Process 0 39.13
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 1160 Windows NT Session Manager Microsoft Corporation
csrss.exe 1208 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft
Corporation
services.exe 1280 Services and Controller app 0.72 Microsoft
Corporation
svchost.exe 1480 Generic Host Process for Win32 Services
Microsoft Corporation
svchost.exe 1536 Generic Host Process for Win32 Services
Microsoft Corporation
svchost.exe 456 Generic Host Process for Win32 Services Microsoft
Corporation
Smc.exe 724 Symantec CMC Smc 0.72 Symantec Corporation
SmcGui.exe 2168 Symantec CMC SmcGui 4.35 Symantec Corporation
svchost.exe 780 Generic Host Process for Win32 Services Microsoft
Corporation
svchost.exe 892 Generic Host Process for Win32 Services Microsoft
Corporation
SNAC.EXE 904 Symantec Network Access Control 0.72 Symantec Corporation
ccSvcHst.exe 1968 Symantec Service Framework Symantec Corporation
spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation
AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.
AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service
Symantec Corporation
ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp
NMSAccess.exe 968
p4ps.exe 1084
P4Webs.exe 1648
spkrmon.exe 1676 SoundMAX SpeakerMonitor service
Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation
vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.
vmount2.exe 2704 virtual disk mount service VMware, Inc.
vmnat.exe 2904 VMware NAT Service VMware, Inc.
vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.
alg.exe 2996 Application Layer Gateway Service Microsoft Corporation
lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3228 Windows Explorer Microsoft Corporation
TaskSwitch.exe 3660
ccApp.exe 3100 Symantec User Session Symantec Corporation
trillian.exe 1700 Trillian Cerulean Studios
OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation
seamonkey.exe 1012 SeaMonkey mozilla.org
taskmgr.exe 1616 Windows TaskManager Microsoft Corporation
procexp.exe 3392 Sysinternals Process Explorer 4.35 Sysinternals -
www.sysinternals.com
Process: winlogon.exe Pid: 1236
Name Description Company Name Version
ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.01.2600.2180
adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.01.2600.2180
ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation
5.01.2600.2180
Apphelp.dll Application Compatibility Client Library Microsoft
Corporation 5.01.2600.2180
Ati2evxx.dll ATI External Event Utility DLL Module ATI Technologies
Inc. 6.14.0010.4123
ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation
3.05.2284.0000
AUTHZ.dll Authorization Framework Microsoft Corporation 5.01.2600.2622
Cabinet.dll Microsoft® Cabinet File API Microsoft Corporation 5.01.2600.2180
CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308
COMCTL32.dll Common Controls Library Microsoft Corporation 5.82.2900.2982
comctl32.dll User Experience Controls Library Microsoft Corporation
6.00.2900.2982
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
COMRes.dll Microsoft Corporation 2001.12.4414.0258
CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
cryptdll.dll Cryptography Manager Microsoft Corporation 5.01.2600.2180
cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
DNSAPI.dll DNS Client API DLL Microsoft Corporation 5.01.2600.3394
fastprox.dll WMI Microsoft Corporation 5.01.2600.2180
GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316
hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation
5.01.2600.2180
icmp.dll ICMP DLL Microsoft Corporation 5.01.2600.2180
IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation
5.01.2600.2180
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912
kerberos.dll Kerberos Security Package Microsoft Corporation 5.01.2600.2698
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation
5.01.2600.3119
locale.nls
LPK.DLL Language Pack Microsoft Corporation 5.01.2600.2180
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
MPR.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
MPRAPI.dll Windows NT MP Router Administration DLL Microsoft
Corporation 5.01.2600.2180
MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
msctfime.ime Microsoft Text Frame Work Service IME Microsoft
Corporation 5.01.2600.2180
MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation
5.01.2600.2180
MSVCP60.dll Microsoft (R) C++ Runtime Library Microsoft Corporation
6.02.3104.0000
MSVCR70.dll Microsoft® C Runtime Library Microsoft Corporation
7.00.9466.0000
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.3085
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft
Corporation 5.01.2600.3394
msxml3.dll MSXML 3.0 SP9 Microsoft Corporation 8.90.1101.0000
msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001
NavLogon.dll Symantec AntiVirus Logon Notification Symantec Corporation
10.01.0000.0401
NDdeApi.dll Network DDE Share Management APIs Microsoft Corporation
5.01.2600.2180
NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
NTDSAPI.DLL NT5DS Microsoft Corporation 5.01.2600.2180
NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180
ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft
Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft
Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726
OLEAUT32.dll Microsoft Corporation 5.01.2600.3266
PCANotify.dll Winlogon Notification package Symantec Corporation
11.00.0001.0764
PROFMAP.dll Userenv Microsoft Corporation 5.01.2600.2180
PSAPI.DLL Process Status Helper Microsoft Corporation 5.01.2600.2180
REGAPI.dll Registry Configuration APIs Microsoft Corporation 5.01.2600.2180
RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation
5.01.2600.3173
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft
Corporation 5.01.2600.2161
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180
SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
SASWINLO.dll SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com
1.00.0000.1046
Secur32.dll Security Support Provider Interface Microsoft Corporation
5.01.2600.2180
SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241
SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation
6.00.2900.3354
SHSVCS.dll Windows Shell Services Dll Microsoft Corporation 6.00.2900.3051
sortkey.nls
sorttbls.nls
sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.3019
unicode.nls
USER32.dll Windows XP USER API Client DLL Microsoft Corporation
5.01.2600.3099
USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180
USP10.dll Uniscribe Unicode script processor Microsoft Corporation
1.420.2600.2180
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
VERSION.dll Version Checking and File Installation Libraries Microsoft
Corporation 5.01.2600.2180
wbemcomn.dll WMI Microsoft Corporation 5.01.2600.2180
wbemprox.dll WMI Microsoft Corporation 5.01.2600.2180
wbemsvc.dll WMI Microsoft Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
WgaLogon.dll Windows Genuine Advantage Notification Microsoft
Corporation 1.07.0018.0007
WININET.dll Internet Extensions for Win32 Microsoft Corporation
6.00.2900.3354
winlogon.exe Windows NT Logon Application Microsoft Corporation
5.01.2600.2180
WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
WINSCARD.DLL Microsoft Smart Card API Microsoft Corporation 5.01.2600.2180
WINSPOOL.DRV Windows Spooler Driver Microsoft Corporation 5.01.2600.2180
WINSTA.dll Winstation Library Microsoft Corporation 5.01.2600.2180
WINTRUST.dll Microsoft Trust Verification APIs Microsoft Corporation
5.131.2600.2180
WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
WlNotify.dll Common DLL to receive Winlogon notifications Microsoft
Corporation 5.01.2600.2180
WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation
5.01.2600.2180
WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft
Corporation 5.01.2600.2180
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.2180
wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180
WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation
5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180
--
Process PID Description CPU Company Name
System Idle Process 0 41.18
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 1160 Windows NT Session Manager Microsoft Corporation
csrss.exe 1208 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft
Corporation
services.exe 1280 Services and Controller app 0.74 Microsoft
Corporation
svchost.exe 1480 Generic Host Process for Win32 Services 0.74
Microsoft Corporation
svchost.exe 1536 Generic Host Process for Win32 Services
Microsoft Corporation
svchost.exe 456 Generic Host Process for Win32 Services Microsoft
Corporation
Smc.exe 724 Symantec CMC Smc 0.74 Symantec Corporation
SmcGui.exe 2168 Symantec CMC SmcGui 2.94 Symantec Corporation
svchost.exe 780 Generic Host Process for Win32 Services Microsoft
Corporation
svchost.exe 892 Generic Host Process for Win32 Services Microsoft
Corporation
SNAC.EXE 904 Symantec Network Access Control Symantec Corporation
ccSvcHst.exe 1968 Symantec Service Framework 0.74 Symantec Corporation
spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation
AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.
AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service
Symantec Corporation
ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp
NMSAccess.exe 968
p4ps.exe 1084
P4Webs.exe 1648
spkrmon.exe 1676 SoundMAX SpeakerMonitor service
Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation
vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.
vmount2.exe 2704 virtual disk mount service VMware, Inc.
vmnat.exe 2904 VMware NAT Service VMware, Inc.
vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.
alg.exe 2996 Application Layer Gateway Service Microsoft Corporation
lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3228 Windows Explorer Microsoft Corporation
TaskSwitch.exe 3660
ccApp.exe 3100 Symantec User Session Symantec Corporation
trillian.exe 1700 Trillian Cerulean Studios
OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation
seamonkey.exe 1012 SeaMonkey mozilla.org
taskmgr.exe 1616 Windows TaskManager Microsoft Corporation
procexp.exe 3392 Sysinternals Process Explorer 2.94 Sysinternals -
www.sysinternals.com
Process: winlogon.exe Pid: 1236
Type Name
Desktop \Winlogon
Desktop \Disconnect
Desktop \Default
Desktop \Default
Directory \KnownDlls
Directory \Windows
Directory \BaseNamedObjects
Event \BaseNamedObjects\AUTOENRL:TriggerMachineEnrollment
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh
Needs Foreground Processing
Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done
Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs
Foreground Processing
Event \BaseNamedObjects\userenv: User Group Policy Processing is done
Event \BaseNamedObjects\userenv: User Policy Foreground Done Event
Event \BaseNamedObjects\WinlogonTSSynchronizeEvent
Event \BaseNamedObjects\TS-WPAAE
Event \BaseNamedObjects\ReconEvent
Event \Security\NetworkProviderLoad
Event \BaseNamedObjects\AtiExtEventGSNotificationEvent
Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM
Event \BaseNamedObjects\hardwaremixercallback
Event \BaseNamedObjects\WFP_IDLE_TRIGGER
Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started
Event \BaseNamedObjects\msgina: ReturnToWelcome
Event \BaseNamedObjects\ThemesStartEvent
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\winlogon: machine GPO Event 70406
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: machine policy refresh event
Event \BaseNamedObjects\userenv: machine policy force refresh event
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh
Needs Foreground Processing
Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done
Event \BaseNamedObjects\AgentExistsEvent
Event \BaseNamedObjects\WkssvcToAgentStopEvent
Event \BaseNamedObjects\WkssvcToAgentStartEvent
Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0
Event \BaseNamedObjects\AgentToWkssvcEvent
Event \BaseNamedObjects\PCA_UnlockWksNotify
Event \BaseNamedObjects\PCA_LockWksNotify
Event \BaseNamedObjects\PCA_TAG_TEAM_0
Event \BaseNamedObjects\SENS Started Event
Event \BaseNamedObjects\userenv: user policy force refresh event
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy Processing is done
Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs
Foreground Processing
Event \BaseNamedObjects\userenv: user policy refresh event
Event \BaseNamedObjects\winlogon: User GPO Event 483671
Event \BaseNamedObjects\WlballoonLogoffNotificationEventName
Event \BaseNamedObjects\AUTOENRL:TriggerUserEnrollment
Event \BaseNamedObjects\CscCacheInitCompleteEvent
Event \BaseNamedObjects\ShellReadyEvent
Event \BaseNamedObjects\WlballoonLogoffNotificationEventName
Event \BaseNamedObjects\mixercallback
Event
\BaseNamedObjects\00000000000a359c_WlballoonKerberosNotificationEventName
File \Device\NamedPipe\TerminalServer\AutoReconnect
File
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\KsecDD
File \Device\NamedPipe\InitShutdown
File \Device\NamedPipe\InitShutdown
File C:\WINDOWS\system32\dllcache
File
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File C:\WINDOWS\AppPatch
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\isapi\_vti_adm
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin\_vti_adm
File C:\WINDOWS\system32
File C:\WINDOWS\Help
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\isapi\_vti_aut
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin\_vti_aut
File C:\WINDOWS\system32\inetsrv
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\bin
File C:\WINDOWS\Fonts
File C:\WINDOWS\system32\drivers
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\servsupp
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\bots\vinavbar
File C:\Program Files\microsoft frontpage\version3.0\bin
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\bin\1033
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\isapi
File C:\WINDOWS
File C:\Program Files\Common Files\Microsoft Shared\DAO
File C:\Program Files\Windows Media Player
File C:\Program Files\Common Files\System\msadc
File C:\Program Files\Common Files\System\ado
File C:\Program Files\Common Files\System\Ole DB
File C:\WINDOWS\inf
File C:\WINDOWS\system
File C:\WINDOWS\msagent
File C:\WINDOWS\msagent\intl
File C:\Program Files\MSN Gaming Zone\Windows
File C:\WINDOWS\PCHealth\HelpCtr\Binaries
File C:\Program Files\NetMeeting
File C:\WINDOWS\system32\drivers\disdn
File C:\WINDOWS\ime\CHTIME\Applets
File C:\WINDOWS\system32\wbem
File C:\WINDOWS\system32\IME\CINTLGNT
File C:\WINDOWS\system32\Com
File C:\WINDOWS\system32\Setup
File C:\WINDOWS\ime\IMJP8_1
File C:\Program Files\Common Files\Microsoft Shared\Triedit
File C:\Program Files\Windows NT
File C:\Program Files\Common Files\System
File C:\WINDOWS\system32\1033
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\admcgi\scripts
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\admisapi\scripts
File C:\WINDOWS\system32\usmt
File C:\WINDOWS\ime\IMKR6_1\Dicts
File C:\WINDOWS\system32\mui\0009
File C:\Program Files\Internet Explorer
File C:\WINDOWS\ime\IMJP8_1\APPLETS
File C:\WINDOWS\ime\IMKR6_1\Applets
File C:\WINDOWS\system32\xircom
File C:\Program Files\Internet Explorer\Connection Wizard
File C:\Program Files\Common Files\Microsoft Shared\MSInfo
File C:\WINDOWS\ime\IMKR6_1
File C:\WINDOWS\ime\SHARED
File C:\WINDOWS\system32\IME\PINTLGNT
File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
File C:\WINDOWS\Resources\Themes\Luna
File C:\Program Files\Movie Maker
File C:\WINDOWS\ime
File C:\WINDOWS\srchasst
File C:\Program Files\Outlook Express
File C:\WINDOWS\system32\oobe
File C:\Program Files\Common Files\MSSoap\Binaries
File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033
File C:\WINDOWS\mui
File C:\WINDOWS\system32\npp
File C:\WINDOWS\ime\SHARED\RES
File C:\Program Files\Windows NT\Pinball
File C:\WINDOWS\ime\CHSIME\APPLETS
File C:\WINDOWS\system32\Restore
File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
File C:\Program Files\Common Files\Microsoft Shared\Speech
File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
File C:\WINDOWS\system32\wbem\snmp
File C:\Program Files\Common Files\SpeechEngines\Microsoft
File C:\Program Files\Common Files\Microsoft Shared\Speech\1033
File C:\WINDOWS\PeerNet
File C:\WINDOWS\system32\spool\drivers\color
File C:\WINDOWS\system32\IME\TINTLGNT
File C:\WINDOWS\Help\Tours\mmTour
File C:\WINDOWS\PCHealth\UploadLB\Binaries
File C:\Program Files\Common Files\Microsoft Shared\VGX
File C:\WINDOWS\system32\wbem\xml
File C:\Program Files\Windows NT\Accessories
File C:\WINDOWS\system32\mui\0401
File C:\WINDOWS\system32\mui\0404
File C:\WINDOWS\system32\mui\0405
File C:\WINDOWS\system32\mui\0406
File C:\WINDOWS\system32\mui\0407
File C:\WINDOWS\system32\mui\0408
File C:\WINDOWS\system32\mui\040b
File C:\WINDOWS\system32\mui\040C
File C:\WINDOWS\system32\mui\040D
File C:\WINDOWS\system32\mui\040e
File C:\WINDOWS\system32\mui\0410
File C:\WINDOWS\system32\mui\0411
File C:\WINDOWS\system32\mui\0412
File C:\WINDOWS\system32\mui\0413
File C:\WINDOWS\system32\mui\0414
File C:\WINDOWS\system32\mui\0415
File C:\WINDOWS\system32\mui\0416
File C:\WINDOWS\system32\mui\0419
File C:\WINDOWS\system32\mui\041b
File C:\WINDOWS\system32\mui\041D
File C:\WINDOWS\system32\mui\041f
File C:\WINDOWS\system32\mui\0424
File C:\WINDOWS\system32\mui\0804
File C:\WINDOWS\system32\mui\0816
File C:\WINDOWS\system32\mui\0C0A
File C:\WINDOWS\system32\mui\0402
File C:\WINDOWS\system32\mui\0418
File C:\WINDOWS\system32\mui\041a
File C:\WINDOWS\system32\mui\041e
File C:\WINDOWS\system32\mui\0425
File C:\WINDOWS\system32\mui\0426
File C:\WINDOWS\system32\mui\0427
File C:\Program Files\xerox\nwwia
File C:\WINDOWS\WinSxS
File \Device\NamedPipe\SfcApi
File \Device\NamedPipe\SfcApi
File \Device\Tcp
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File \Device\Ip
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\AsyncConnectHlp
File
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\LanmanRedirector
File \Device\NamedPipe\winlogonrpc
File
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\NamedPipe\winlogonrpc
File \Device\NamedPipe\winlogonrpc
File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}
File C:\WINDOWS\system32
Key HKCR
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKCR
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32chain
Key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cryptnet
Key HKCR\CLSID
Key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sclgntfy
Key HKLM\SYSTEM\ControlSet001\Control\Lsa
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SYSTEM\Setup
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials
Key HKU
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKU
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKLM
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\WgaLogon
Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
Key HKCU
Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
Key HKU\.DEFAULT
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR
Key HKCR
Key HKCR\CLSID
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\userenv: machine policy mutex
Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex
Mutant \BaseNamedObjects\userenv: user policy mutex
Mutant \BaseNamedObjects\userenv: User Registry policy mutex
Mutant \BaseNamedObjects\SingleSesMutex
Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\WPA_PR_MUTEX
Mutant \BaseNamedObjects\WPA_RT_MUTEX
Mutant \BaseNamedObjects\WPA_LT_MUTEX
Mutant \BaseNamedObjects\WPA_HWID_MUTEX
Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX
Port \RPC Control\sclogonrpc
Port \RPC Control\IUserProfile
Port \RPC Control\OLE273DB90569D049E7BB5A549E0AAA
Process services.exe(1280)
Process lsass.exe(1292)
Section \BaseNamedObjects\ShimSharedMemory
Section \BaseNamedObjects\Debug.Memory.4d4
Section \BaseNamedObjects\WDMAUD_Callbacks
Section \BaseNamedObjects\mmGlobalPnpInfo
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Thread winlogon.exe(1236): 1240
Thread winlogon.exe(1236): 1644
Thread winlogon.exe(1236): 3668
Thread winlogon.exe(1236): 1240
Thread winlogon.exe(1236): 1260
Thread winlogon.exe(1236): 2404
Thread winlogon.exe(1236): 1268
Thread winlogon.exe(1236): 1276
Thread winlogon.exe(1236): 1288
Thread winlogon.exe(1236): 1380
Thread winlogon.exe(1236): 1380
Thread winlogon.exe(1236): 1384
Thread winlogon.exe(1236): 1388
Thread winlogon.exe(1236): 1420
Thread winlogon.exe(1236): 1524
Thread winlogon.exe(1236): 2448
Thread winlogon.exe(1236): 2212
Thread winlogon.exe(1236): 1272
Thread winlogon.exe(1236): 2208
Thread winlogon.exe(1236): 2004
Thread winlogon.exe(1236): 1644
Thread winlogon.exe(1236): 2212
Thread winlogon.exe(1236): 3516
Thread winlogon.exe(1236): 2220
Thread winlogon.exe(1236): 1644
Thread winlogon.exe(1236): 2220
Thread winlogon.exe(1236): 2140
Thread winlogon.exe(1236): 2676
Thread winlogon.exe(1236): 1644
Thread winlogon.exe(1236): 2404
Thread winlogon.exe(1236): 2216
Thread winlogon.exe(1236): 2404
Thread winlogon.exe(1236): 3216
Thread winlogon.exe(1236): 328
Thread winlogon.exe(1236): 2404
Thread winlogon.exe(1236): 3492
Timer \BaseNamedObjects\userenv: refresh timer for 1236:1644
Timer \BaseNamedObjects\AUTOENRL:MachineEnrollmentTimer
Timer \BaseNamedObjects\userenv: refresh timer for 1236:2404
Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentShellTimer
Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentTimer
Token domain\phil:a359c
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\SYSTEM:3e7
Token NT AUTHORITY\SYSTEM:3e7
Token NT AUTHORITY\SYSTEM:3e7
Token domain\phil:a359c
Token domain\phil:a359c
Token domain\phil:a359c
Token domain\phil:a359c
Token domain\phil:a359c
Token NT AUTHORITY\SYSTEM:3e7
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0n
Is there a fix for this or a way to calm winlogon.exe down? It doesn't
seem to matter how long my session uptime is either since this was only
three days old.
Thank you in advance.
--
Phillip Pi
Senior Software Quality Assurance Analyst
ISP/Symantec Online Services, Consumer Business Unit
Symantec Corporation
www.symantec.com
-----------------------------------------------------
Email: phillip_pi@symantec.comSYMC (remove SYMC to reply by e-mail)
-----------------------------------------------------
Please do NOT e-mail me for technical support. DISCLAIMER: The views
expressed in this posting are mine, and do not necessarily reflect the
views of my employer. Thank you.
I have a strange rare and annoying Windows XP Pro. SP2 (IE6.0 SP2; all
critical updates and optional softwares for SP2) issue that had been
around for three years or so, and I can't figure out what's going on.
Once in a while (very rare -- maybe once every one/two months?), I
winlogon.exe decides to go nuts and take one of my CPU (have a dual core
Intel P4 Prescott machine). From there, softwares don't respond and some
can't be shut down (e.g., SeaMonkey.exe, Trillian.exe, Outlook.exe) even
if I force end task. When I try to shut down Windows to reboot, it gets
stuck forever and I need to do a force shut down on the power switch on
the Dell Optiplex GX280 case.
I tried viewing Process Explorer, Process Monitor, event logs, services
via cmd.exe (administrative method freezes/doesn't respond), etc. and
found nothing interesting. Here are the Process Explorer exports:
From Process Explorer v11.20:
Process PID Description CPU Company Name
System Idle Process 0 39.13
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 1160 Windows NT Session Manager Microsoft Corporation
csrss.exe 1208 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft
Corporation
services.exe 1280 Services and Controller app 0.72 Microsoft
Corporation
svchost.exe 1480 Generic Host Process for Win32 Services
Microsoft Corporation
svchost.exe 1536 Generic Host Process for Win32 Services
Microsoft Corporation
svchost.exe 456 Generic Host Process for Win32 Services Microsoft
Corporation
Smc.exe 724 Symantec CMC Smc 0.72 Symantec Corporation
SmcGui.exe 2168 Symantec CMC SmcGui 4.35 Symantec Corporation
svchost.exe 780 Generic Host Process for Win32 Services Microsoft
Corporation
svchost.exe 892 Generic Host Process for Win32 Services Microsoft
Corporation
SNAC.EXE 904 Symantec Network Access Control 0.72 Symantec Corporation
ccSvcHst.exe 1968 Symantec Service Framework Symantec Corporation
spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation
AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.
AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service
Symantec Corporation
ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp
NMSAccess.exe 968
p4ps.exe 1084
P4Webs.exe 1648
spkrmon.exe 1676 SoundMAX SpeakerMonitor service
Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation
vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.
vmount2.exe 2704 virtual disk mount service VMware, Inc.
vmnat.exe 2904 VMware NAT Service VMware, Inc.
vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.
alg.exe 2996 Application Layer Gateway Service Microsoft Corporation
lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3228 Windows Explorer Microsoft Corporation
TaskSwitch.exe 3660
ccApp.exe 3100 Symantec User Session Symantec Corporation
trillian.exe 1700 Trillian Cerulean Studios
OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation
seamonkey.exe 1012 SeaMonkey mozilla.org
taskmgr.exe 1616 Windows TaskManager Microsoft Corporation
procexp.exe 3392 Sysinternals Process Explorer 4.35 Sysinternals -
www.sysinternals.com
Process: winlogon.exe Pid: 1236
Name Description Company Name Version
ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.01.2600.2180
adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.01.2600.2180
ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation
5.01.2600.2180
Apphelp.dll Application Compatibility Client Library Microsoft
Corporation 5.01.2600.2180
Ati2evxx.dll ATI External Event Utility DLL Module ATI Technologies
Inc. 6.14.0010.4123
ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation
3.05.2284.0000
AUTHZ.dll Authorization Framework Microsoft Corporation 5.01.2600.2622
Cabinet.dll Microsoft® Cabinet File API Microsoft Corporation 5.01.2600.2180
CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308
COMCTL32.dll Common Controls Library Microsoft Corporation 5.82.2900.2982
comctl32.dll User Experience Controls Library Microsoft Corporation
6.00.2900.2982
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
COMRes.dll Microsoft Corporation 2001.12.4414.0258
CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
cryptdll.dll Cryptography Manager Microsoft Corporation 5.01.2600.2180
cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
DNSAPI.dll DNS Client API DLL Microsoft Corporation 5.01.2600.3394
fastprox.dll WMI Microsoft Corporation 5.01.2600.2180
GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316
hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation
5.01.2600.2180
icmp.dll ICMP DLL Microsoft Corporation 5.01.2600.2180
IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation
5.01.2600.2180
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912
kerberos.dll Kerberos Security Package Microsoft Corporation 5.01.2600.2698
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation
5.01.2600.3119
locale.nls
LPK.DLL Language Pack Microsoft Corporation 5.01.2600.2180
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
MPR.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
MPRAPI.dll Windows NT MP Router Administration DLL Microsoft
Corporation 5.01.2600.2180
MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
msctfime.ime Microsoft Text Frame Work Service IME Microsoft
Corporation 5.01.2600.2180
MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation
5.01.2600.2180
MSVCP60.dll Microsoft (R) C++ Runtime Library Microsoft Corporation
6.02.3104.0000
MSVCR70.dll Microsoft® C Runtime Library Microsoft Corporation
7.00.9466.0000
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.3085
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft
Corporation 5.01.2600.3394
msxml3.dll MSXML 3.0 SP9 Microsoft Corporation 8.90.1101.0000
msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001
NavLogon.dll Symantec AntiVirus Logon Notification Symantec Corporation
10.01.0000.0401
NDdeApi.dll Network DDE Share Management APIs Microsoft Corporation
5.01.2600.2180
NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
NTDSAPI.DLL NT5DS Microsoft Corporation 5.01.2600.2180
NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180
ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft
Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft
Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726
OLEAUT32.dll Microsoft Corporation 5.01.2600.3266
PCANotify.dll Winlogon Notification package Symantec Corporation
11.00.0001.0764
PROFMAP.dll Userenv Microsoft Corporation 5.01.2600.2180
PSAPI.DLL Process Status Helper Microsoft Corporation 5.01.2600.2180
REGAPI.dll Registry Configuration APIs Microsoft Corporation 5.01.2600.2180
RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation
5.01.2600.3173
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft
Corporation 5.01.2600.2161
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180
SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
SASWINLO.dll SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com
1.00.0000.1046
Secur32.dll Security Support Provider Interface Microsoft Corporation
5.01.2600.2180
SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241
SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation
6.00.2900.3354
SHSVCS.dll Windows Shell Services Dll Microsoft Corporation 6.00.2900.3051
sortkey.nls
sorttbls.nls
sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.3019
unicode.nls
USER32.dll Windows XP USER API Client DLL Microsoft Corporation
5.01.2600.3099
USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180
USP10.dll Uniscribe Unicode script processor Microsoft Corporation
1.420.2600.2180
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
VERSION.dll Version Checking and File Installation Libraries Microsoft
Corporation 5.01.2600.2180
wbemcomn.dll WMI Microsoft Corporation 5.01.2600.2180
wbemprox.dll WMI Microsoft Corporation 5.01.2600.2180
wbemsvc.dll WMI Microsoft Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
WgaLogon.dll Windows Genuine Advantage Notification Microsoft
Corporation 1.07.0018.0007
WININET.dll Internet Extensions for Win32 Microsoft Corporation
6.00.2900.3354
winlogon.exe Windows NT Logon Application Microsoft Corporation
5.01.2600.2180
WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
WINSCARD.DLL Microsoft Smart Card API Microsoft Corporation 5.01.2600.2180
WINSPOOL.DRV Windows Spooler Driver Microsoft Corporation 5.01.2600.2180
WINSTA.dll Winstation Library Microsoft Corporation 5.01.2600.2180
WINTRUST.dll Microsoft Trust Verification APIs Microsoft Corporation
5.131.2600.2180
WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
WlNotify.dll Common DLL to receive Winlogon notifications Microsoft
Corporation 5.01.2600.2180
WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation
5.01.2600.2180
WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft
Corporation 5.01.2600.2180
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.2180
wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180
WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation
5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180
--
Process PID Description CPU Company Name
System Idle Process 0 41.18
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 1160 Windows NT Session Manager Microsoft Corporation
csrss.exe 1208 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft
Corporation
services.exe 1280 Services and Controller app 0.74 Microsoft
Corporation
svchost.exe 1480 Generic Host Process for Win32 Services 0.74
Microsoft Corporation
svchost.exe 1536 Generic Host Process for Win32 Services
Microsoft Corporation
svchost.exe 456 Generic Host Process for Win32 Services Microsoft
Corporation
Smc.exe 724 Symantec CMC Smc 0.74 Symantec Corporation
SmcGui.exe 2168 Symantec CMC SmcGui 2.94 Symantec Corporation
svchost.exe 780 Generic Host Process for Win32 Services Microsoft
Corporation
svchost.exe 892 Generic Host Process for Win32 Services Microsoft
Corporation
SNAC.EXE 904 Symantec Network Access Control Symantec Corporation
ccSvcHst.exe 1968 Symantec Service Framework 0.74 Symantec Corporation
spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation
AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.
AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service
Symantec Corporation
ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp
NMSAccess.exe 968
p4ps.exe 1084
P4Webs.exe 1648
spkrmon.exe 1676 SoundMAX SpeakerMonitor service
Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation
vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.
vmount2.exe 2704 virtual disk mount service VMware, Inc.
vmnat.exe 2904 VMware NAT Service VMware, Inc.
vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.
alg.exe 2996 Application Layer Gateway Service Microsoft Corporation
lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3228 Windows Explorer Microsoft Corporation
TaskSwitch.exe 3660
ccApp.exe 3100 Symantec User Session Symantec Corporation
trillian.exe 1700 Trillian Cerulean Studios
OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation
seamonkey.exe 1012 SeaMonkey mozilla.org
taskmgr.exe 1616 Windows TaskManager Microsoft Corporation
procexp.exe 3392 Sysinternals Process Explorer 2.94 Sysinternals -
www.sysinternals.com
Process: winlogon.exe Pid: 1236
Type Name
Desktop \Winlogon
Desktop \Disconnect
Desktop \Default
Desktop \Default
Directory \KnownDlls
Directory \Windows
Directory \BaseNamedObjects
Event \BaseNamedObjects\AUTOENRL:TriggerMachineEnrollment
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh
Needs Foreground Processing
Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done
Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs
Foreground Processing
Event \BaseNamedObjects\userenv: User Group Policy Processing is done
Event \BaseNamedObjects\userenv: User Policy Foreground Done Event
Event \BaseNamedObjects\WinlogonTSSynchronizeEvent
Event \BaseNamedObjects\TS-WPAAE
Event \BaseNamedObjects\ReconEvent
Event \Security\NetworkProviderLoad
Event \BaseNamedObjects\AtiExtEventGSNotificationEvent
Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM
Event \BaseNamedObjects\hardwaremixercallback
Event \BaseNamedObjects\WFP_IDLE_TRIGGER
Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started
Event \BaseNamedObjects\msgina: ReturnToWelcome
Event \BaseNamedObjects\ThemesStartEvent
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\winlogon: machine GPO Event 70406
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: machine policy refresh event
Event \BaseNamedObjects\userenv: machine policy force refresh event
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh
Needs Foreground Processing
Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done
Event \BaseNamedObjects\AgentExistsEvent
Event \BaseNamedObjects\WkssvcToAgentStopEvent
Event \BaseNamedObjects\WkssvcToAgentStartEvent
Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0
Event \BaseNamedObjects\AgentToWkssvcEvent
Event \BaseNamedObjects\PCA_UnlockWksNotify
Event \BaseNamedObjects\PCA_LockWksNotify
Event \BaseNamedObjects\PCA_TAG_TEAM_0
Event \BaseNamedObjects\SENS Started Event
Event \BaseNamedObjects\userenv: user policy force refresh event
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy Processing is done
Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs
Foreground Processing
Event \BaseNamedObjects\userenv: user policy refresh event
Event \BaseNamedObjects\winlogon: User GPO Event 483671
Event \BaseNamedObjects\WlballoonLogoffNotificationEventName
Event \BaseNamedObjects\AUTOENRL:TriggerUserEnrollment
Event \BaseNamedObjects\CscCacheInitCompleteEvent
Event \BaseNamedObjects\ShellReadyEvent
Event \BaseNamedObjects\WlballoonLogoffNotificationEventName
Event \BaseNamedObjects\mixercallback
Event
\BaseNamedObjects\00000000000a359c_WlballoonKerberosNotificationEventName
File \Device\NamedPipe\TerminalServer\AutoReconnect
File
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\KsecDD
File \Device\NamedPipe\InitShutdown
File \Device\NamedPipe\InitShutdown
File C:\WINDOWS\system32\dllcache
File
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File C:\WINDOWS\AppPatch
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\isapi\_vti_adm
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin\_vti_adm
File C:\WINDOWS\system32
File C:\WINDOWS\Help
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\isapi\_vti_aut
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin\_vti_aut
File C:\WINDOWS\system32\inetsrv
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\bin
File C:\WINDOWS\Fonts
File C:\WINDOWS\system32\drivers
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\servsupp
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\bots\vinavbar
File C:\Program Files\microsoft frontpage\version3.0\bin
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\bin\1033
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\isapi
File C:\WINDOWS
File C:\Program Files\Common Files\Microsoft Shared\DAO
File C:\Program Files\Windows Media Player
File C:\Program Files\Common Files\System\msadc
File C:\Program Files\Common Files\System\ado
File C:\Program Files\Common Files\System\Ole DB
File C:\WINDOWS\inf
File C:\WINDOWS\system
File C:\WINDOWS\msagent
File C:\WINDOWS\msagent\intl
File C:\Program Files\MSN Gaming Zone\Windows
File C:\WINDOWS\PCHealth\HelpCtr\Binaries
File C:\Program Files\NetMeeting
File C:\WINDOWS\system32\drivers\disdn
File C:\WINDOWS\ime\CHTIME\Applets
File C:\WINDOWS\system32\wbem
File C:\WINDOWS\system32\IME\CINTLGNT
File C:\WINDOWS\system32\Com
File C:\WINDOWS\system32\Setup
File C:\WINDOWS\ime\IMJP8_1
File C:\Program Files\Common Files\Microsoft Shared\Triedit
File C:\Program Files\Windows NT
File C:\Program Files\Common Files\System
File C:\WINDOWS\system32\1033
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\admcgi\scripts
File C:\Program Files\Common Files\Microsoft Shared\web server
extensions\40\admisapi\scripts
File C:\WINDOWS\system32\usmt
File C:\WINDOWS\ime\IMKR6_1\Dicts
File C:\WINDOWS\system32\mui\0009
File C:\Program Files\Internet Explorer
File C:\WINDOWS\ime\IMJP8_1\APPLETS
File C:\WINDOWS\ime\IMKR6_1\Applets
File C:\WINDOWS\system32\xircom
File C:\Program Files\Internet Explorer\Connection Wizard
File C:\Program Files\Common Files\Microsoft Shared\MSInfo
File C:\WINDOWS\ime\IMKR6_1
File C:\WINDOWS\ime\SHARED
File C:\WINDOWS\system32\IME\PINTLGNT
File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
File C:\WINDOWS\Resources\Themes\Luna
File C:\Program Files\Movie Maker
File C:\WINDOWS\ime
File C:\WINDOWS\srchasst
File C:\Program Files\Outlook Express
File C:\WINDOWS\system32\oobe
File C:\Program Files\Common Files\MSSoap\Binaries
File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033
File C:\WINDOWS\mui
File C:\WINDOWS\system32\npp
File C:\WINDOWS\ime\SHARED\RES
File C:\Program Files\Windows NT\Pinball
File C:\WINDOWS\ime\CHSIME\APPLETS
File C:\WINDOWS\system32\Restore
File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
File C:\Program Files\Common Files\Microsoft Shared\Speech
File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
File C:\WINDOWS\system32\wbem\snmp
File C:\Program Files\Common Files\SpeechEngines\Microsoft
File C:\Program Files\Common Files\Microsoft Shared\Speech\1033
File C:\WINDOWS\PeerNet
File C:\WINDOWS\system32\spool\drivers\color
File C:\WINDOWS\system32\IME\TINTLGNT
File C:\WINDOWS\Help\Tours\mmTour
File C:\WINDOWS\PCHealth\UploadLB\Binaries
File C:\Program Files\Common Files\Microsoft Shared\VGX
File C:\WINDOWS\system32\wbem\xml
File C:\Program Files\Windows NT\Accessories
File C:\WINDOWS\system32\mui\0401
File C:\WINDOWS\system32\mui\0404
File C:\WINDOWS\system32\mui\0405
File C:\WINDOWS\system32\mui\0406
File C:\WINDOWS\system32\mui\0407
File C:\WINDOWS\system32\mui\0408
File C:\WINDOWS\system32\mui\040b
File C:\WINDOWS\system32\mui\040C
File C:\WINDOWS\system32\mui\040D
File C:\WINDOWS\system32\mui\040e
File C:\WINDOWS\system32\mui\0410
File C:\WINDOWS\system32\mui\0411
File C:\WINDOWS\system32\mui\0412
File C:\WINDOWS\system32\mui\0413
File C:\WINDOWS\system32\mui\0414
File C:\WINDOWS\system32\mui\0415
File C:\WINDOWS\system32\mui\0416
File C:\WINDOWS\system32\mui\0419
File C:\WINDOWS\system32\mui\041b
File C:\WINDOWS\system32\mui\041D
File C:\WINDOWS\system32\mui\041f
File C:\WINDOWS\system32\mui\0424
File C:\WINDOWS\system32\mui\0804
File C:\WINDOWS\system32\mui\0816
File C:\WINDOWS\system32\mui\0C0A
File C:\WINDOWS\system32\mui\0402
File C:\WINDOWS\system32\mui\0418
File C:\WINDOWS\system32\mui\041a
File C:\WINDOWS\system32\mui\041e
File C:\WINDOWS\system32\mui\0425
File C:\WINDOWS\system32\mui\0426
File C:\WINDOWS\system32\mui\0427
File C:\Program Files\xerox\nwwia
File C:\WINDOWS\WinSxS
File \Device\NamedPipe\SfcApi
File \Device\NamedPipe\SfcApi
File \Device\Tcp
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File \Device\Ip
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\AsyncConnectHlp
File
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\LanmanRedirector
File \Device\NamedPipe\winlogonrpc
File
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\NamedPipe\winlogonrpc
File \Device\NamedPipe\winlogonrpc
File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}
File C:\WINDOWS\system32
Key HKCR
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKCR
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32chain
Key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cryptnet
Key HKCR\CLSID
Key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sclgntfy
Key HKLM\SYSTEM\ControlSet001\Control\Lsa
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SYSTEM\Setup
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials
Key HKU
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKU
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKLM
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\WgaLogon
Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
Key HKCU
Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
Key HKU\.DEFAULT
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR
Key HKCR
Key HKCR\CLSID
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\userenv: machine policy mutex
Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex
Mutant \BaseNamedObjects\userenv: user policy mutex
Mutant \BaseNamedObjects\userenv: User Registry policy mutex
Mutant \BaseNamedObjects\SingleSesMutex
Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\WPA_PR_MUTEX
Mutant \BaseNamedObjects\WPA_RT_MUTEX
Mutant \BaseNamedObjects\WPA_LT_MUTEX
Mutant \BaseNamedObjects\WPA_HWID_MUTEX
Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX
Port \RPC Control\sclogonrpc
Port \RPC Control\IUserProfile
Port \RPC Control\OLE273DB90569D049E7BB5A549E0AAA
Process services.exe(1280)
Process lsass.exe(1292)
Section \BaseNamedObjects\ShimSharedMemory
Section \BaseNamedObjects\Debug.Memory.4d4
Section \BaseNamedObjects\WDMAUD_Callbacks
Section \BaseNamedObjects\mmGlobalPnpInfo
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Thread winlogon.exe(1236): 1240
Thread winlogon.exe(1236): 1644
Thread winlogon.exe(1236): 3668
Thread winlogon.exe(1236): 1240
Thread winlogon.exe(1236): 1260
Thread winlogon.exe(1236): 2404
Thread winlogon.exe(1236): 1268
Thread winlogon.exe(1236): 1276
Thread winlogon.exe(1236): 1288
Thread winlogon.exe(1236): 1380
Thread winlogon.exe(1236): 1380
Thread winlogon.exe(1236): 1384
Thread winlogon.exe(1236): 1388
Thread winlogon.exe(1236): 1420
Thread winlogon.exe(1236): 1524
Thread winlogon.exe(1236): 2448
Thread winlogon.exe(1236): 2212
Thread winlogon.exe(1236): 1272
Thread winlogon.exe(1236): 2208
Thread winlogon.exe(1236): 2004
Thread winlogon.exe(1236): 1644
Thread winlogon.exe(1236): 2212
Thread winlogon.exe(1236): 3516
Thread winlogon.exe(1236): 2220
Thread winlogon.exe(1236): 1644
Thread winlogon.exe(1236): 2220
Thread winlogon.exe(1236): 2140
Thread winlogon.exe(1236): 2676
Thread winlogon.exe(1236): 1644
Thread winlogon.exe(1236): 2404
Thread winlogon.exe(1236): 2216
Thread winlogon.exe(1236): 2404
Thread winlogon.exe(1236): 3216
Thread winlogon.exe(1236): 328
Thread winlogon.exe(1236): 2404
Thread winlogon.exe(1236): 3492
Timer \BaseNamedObjects\userenv: refresh timer for 1236:1644
Timer \BaseNamedObjects\AUTOENRL:MachineEnrollmentTimer
Timer \BaseNamedObjects\userenv: refresh timer for 1236:2404
Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentShellTimer
Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentTimer
Token domain\phil:a359c
Token NT AUTHORITY\NETWORK SERVICE:3e4
Token NT AUTHORITY\SYSTEM:3e7
Token NT AUTHORITY\SYSTEM:3e7
Token NT AUTHORITY\SYSTEM:3e7
Token domain\phil:a359c
Token domain\phil:a359c
Token domain\phil:a359c
Token domain\phil:a359c
Token domain\phil:a359c
Token NT AUTHORITY\SYSTEM:3e7
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0n
Is there a fix for this or a way to calm winlogon.exe down? It doesn't
seem to matter how long my session uptime is either since this was only
three days old.
Thank you in advance.
--
Phillip Pi
Senior Software Quality Assurance Analyst
ISP/Symantec Online Services, Consumer Business Unit
Symantec Corporation
www.symantec.com
-----------------------------------------------------
Email: phillip_pi@symantec.comSYMC (remove SYMC to reply by e-mail)
-----------------------------------------------------
Please do NOT e-mail me for technical support. DISCLAIMER: The views
expressed in this posting are mine, and do not necessarily reflect the
views of my employer. Thank you.