Once in a while, winlogon.exe will hog CPU and makes my Windows unresponsive.

July 11, 2008

Hello.

I have a strange rare and annoying Windows XP Pro. SP2 (IE6.0 SP2; all

critical updates and optional softwares for SP2) issue that had been

around for three years or so, and I can't figure out what's going on.

Once in a while (very rare -- maybe once every one/two months?), I

winlogon.exe decides to go nuts and take one of my CPU (have a dual core

Intel P4 Prescott machine). From there, softwares don't respond and some

can't be shut down (e.g., SeaMonkey.exe, Trillian.exe, Outlook.exe) even

if I force end task. When I try to shut down Windows to reboot, it gets

stuck forever and I need to do a force shut down on the power switch on

the Dell Optiplex GX280 case.

I tried viewing Process Explorer, Process Monitor, event logs, services

via cmd.exe (administrative method freezes/doesn't respond), etc. and

found nothing interesting. Here are the Process Explorer exports:

From Process Explorer v11.20:

Process PID Description CPU Company Name

System Idle Process 0 39.13

Interrupts n/a Hardware Interrupts

DPCs n/a Deferred Procedure Calls

System 4

smss.exe 1160 Windows NT Session Manager Microsoft Corporation

csrss.exe 1208 Client Server Runtime Process Microsoft Corporation

winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft

Corporation

services.exe 1280 Services and Controller app 0.72 Microsoft

Corporation

svchost.exe 1480 Generic Host Process for Win32 Services

Microsoft Corporation

svchost.exe 1536 Generic Host Process for Win32 Services

Microsoft Corporation

svchost.exe 456 Generic Host Process for Win32 Services Microsoft

Corporation

Smc.exe 724 Symantec CMC Smc 0.72 Symantec Corporation

SmcGui.exe 2168 Symantec CMC SmcGui 4.35 Symantec Corporation

svchost.exe 780 Generic Host Process for Win32 Services Microsoft

Corporation

svchost.exe 892 Generic Host Process for Win32 Services Microsoft

Corporation

SNAC.EXE 904 Symantec Network Access Control 0.72 Symantec Corporation

ccSvcHst.exe 1968 Symantec Service Framework Symantec Corporation

spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation

AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

Symantec Corporation

ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

NMSAccess.exe 968

p4ps.exe 1084

P4Webs.exe 1648

spkrmon.exe 1676 SoundMAX SpeakerMonitor service

Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation

vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.

vmount2.exe 2704 virtual disk mount service VMware, Inc.

vmnat.exe 2904 VMware NAT Service VMware, Inc.

vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.

alg.exe 2996 Application Layer Gateway Service Microsoft Corporation

lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation

explorer.exe 3228 Windows Explorer Microsoft Corporation

TaskSwitch.exe 3660

ccApp.exe 3100 Symantec User Session Symantec Corporation

trillian.exe 1700 Trillian Cerulean Studios

OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation

seamonkey.exe 1012 SeaMonkey mozilla.org

taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

procexp.exe 3392 Sysinternals Process Explorer 4.35 Sysinternals -

http://www.sysinternals.com

Process: winlogon.exe Pid: 1236

Name Description Company Name Version

ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.01.2600.2180

adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.01.2600.2180

ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation

5.01.2600.2180

Apphelp.dll Application Compatibility Client Library Microsoft

Corporation 5.01.2600.2180

Ati2evxx.dll ATI External Event Utility DLL Module ATI Technologies

Inc. 6.14.0010.4123

ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation

3.05.2284.0000

AUTHZ.dll Authorization Framework Microsoft Corporation 5.01.2600.2622

Cabinet.dll Microsoft® Cabinet File API Microsoft Corporation 5.01.2600.2180

CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308

COMCTL32.dll Common Controls Library Microsoft Corporation 5.82.2900.2982

comctl32.dll User Experience Controls Library Microsoft Corporation

6.00.2900.2982

comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180

COMRes.dll Microsoft Corporation 2001.12.4414.0258

CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180

cryptdll.dll Cryptography Manager Microsoft Corporation 5.01.2600.2180

cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180

cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180

ctype.nls

DNSAPI.dll DNS Client API DLL Microsoft Corporation 5.01.2600.3394

fastprox.dll WMI Microsoft Corporation 5.01.2600.2180

GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316

hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation

5.01.2600.2180

icmp.dll ICMP DLL Microsoft Corporation 5.01.2600.2180

IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180

IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation

5.01.2600.2180

iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912

kerberos.dll Kerberos Security Package Microsoft Corporation 5.01.2600.2698

kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation

5.01.2600.3119

locale.nls

LPK.DLL Language Pack Microsoft Corporation 5.01.2600.2180

midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180

MPR.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180

MPRAPI.dll Windows NT MP Router Administration DLL Microsoft

Corporation 5.01.2600.2180

MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180

msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000

MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180

msctfime.ime Microsoft Text Frame Work Service IME Microsoft

Corporation 5.01.2600.2180

MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180

msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation

5.01.2600.2180

MSVCP60.dll Microsoft ® C++ Runtime Library Microsoft Corporation

6.02.3104.0000

MSVCR70.dll Microsoft® C Runtime Library Microsoft Corporation

7.00.9466.0000

msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.3085

mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft

Corporation 5.01.2600.3394

msxml3.dll MSXML 3.0 SP9 Microsoft Corporation 8.90.1101.0000

msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001

NavLogon.dll Symantec AntiVirus Logon Notification Symantec Corporation

10.01.0000.0401

NDdeApi.dll Network DDE Share Management APIs Microsoft Corporation

5.01.2600.2180

NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976

ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180

NTDSAPI.DLL NT5DS Microsoft Corporation 5.01.2600.2180

NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180

ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft

Corporation 3.525.1117.0000

odbcint.dll Microsoft Data Access - ODBC Resources Microsoft

Corporation 3.525.1117.0000

ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726

OLEAUT32.dll Microsoft Corporation 5.01.2600.3266

PCANotify.dll Winlogon Notification package Symantec Corporation

11.00.0001.0764

PROFMAP.dll Userenv Microsoft Corporation 5.01.2600.2180

PSAPI.DLL Process Status Helper Microsoft Corporation 5.01.2600.2180

REGAPI.dll Registry Configuration APIs Microsoft Corporation 5.01.2600.2180

RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation

5.01.2600.3173

rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft

Corporation 5.01.2600.2161

rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180

SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180

SASWINLO.dll SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com

1.00.0000.1046

Secur32.dll Security Support Provider Interface Microsoft Corporation

5.01.2600.2180

SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180

sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180

sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180

SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241

SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation

6.00.2900.3354

SHSVCS.dll Windows Shell Services Dll Microsoft Corporation 6.00.2900.3051

sortkey.nls

sorttbls.nls

sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.3019

unicode.nls

USER32.dll Windows XP USER API Client DLL Microsoft Corporation

5.01.2600.3099

USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180

USP10.dll Uniscribe Unicode script processor Microsoft Corporation

1.420.2600.2180

uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180

VERSION.dll Version Checking and File Installation Libraries Microsoft

Corporation 5.01.2600.2180

wbemcomn.dll WMI Microsoft Corporation 5.01.2600.2180

wbemprox.dll WMI Microsoft Corporation 5.01.2600.2180

wbemsvc.dll WMI Microsoft Corporation 5.01.2600.2180

wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180

WgaLogon.dll Windows Genuine Advantage Notification Microsoft

Corporation 1.07.0018.0007

WININET.dll Internet Extensions for Win32 Microsoft Corporation

6.00.2900.3354

winlogon.exe Windows NT Logon Application Microsoft Corporation

5.01.2600.2180

WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180

WINSCARD.DLL Microsoft Smart Card API Microsoft Corporation 5.01.2600.2180

WINSPOOL.DRV Windows Spooler Driver Microsoft Corporation 5.01.2600.2180

WINSTA.dll Winstation Library Microsoft Corporation 5.01.2600.2180

WINTRUST.dll Microsoft Trust Verification APIs Microsoft Corporation

5.131.2600.2180

WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180

WlNotify.dll Common DLL to receive Winlogon notifications Microsoft

Corporation 5.01.2600.2180

WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation

5.01.2600.2180

WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft

Corporation 5.01.2600.2180

wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.2180

wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180

WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation

5.01.2600.2180

xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180

--

Process PID Description CPU Company Name

System Idle Process 0 41.18

Interrupts n/a Hardware Interrupts

DPCs n/a Deferred Procedure Calls

System 4

smss.exe 1160 Windows NT Session Manager Microsoft Corporation

csrss.exe 1208 Client Server Runtime Process Microsoft Corporation

winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft

Corporation

services.exe 1280 Services and Controller app 0.74 Microsoft

Corporation

svchost.exe 1480 Generic Host Process for Win32 Services 0.74

Microsoft Corporation

svchost.exe 1536 Generic Host Process for Win32 Services

Microsoft Corporation

svchost.exe 456 Generic Host Process for Win32 Services Microsoft

Corporation

Smc.exe 724 Symantec CMC Smc 0.74 Symantec Corporation

SmcGui.exe 2168 Symantec CMC SmcGui 2.94 Symantec Corporation

svchost.exe 780 Generic Host Process for Win32 Services Microsoft

Corporation

svchost.exe 892 Generic Host Process for Win32 Services Microsoft

Corporation

SNAC.EXE 904 Symantec Network Access Control Symantec Corporation

ccSvcHst.exe 1968 Symantec Service Framework 0.74 Symantec Corporation

spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation

AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

Symantec Corporation

ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

NMSAccess.exe 968

p4ps.exe 1084

P4Webs.exe 1648

spkrmon.exe 1676 SoundMAX SpeakerMonitor service

Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation

vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.

vmount2.exe 2704 virtual disk mount service VMware, Inc.

vmnat.exe 2904 VMware NAT Service VMware, Inc.

vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.

alg.exe 2996 Application Layer Gateway Service Microsoft Corporation

lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation

explorer.exe 3228 Windows Explorer Microsoft Corporation

TaskSwitch.exe 3660

ccApp.exe 3100 Symantec User Session Symantec Corporation

trillian.exe 1700 Trillian Cerulean Studios

OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation

seamonkey.exe 1012 SeaMonkey mozilla.org

taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

procexp.exe 3392 Sysinternals Process Explorer 2.94 Sysinternals -

http://www.sysinternals.com

Process: winlogon.exe Pid: 1236

Type Name

Desktop \Winlogon

Desktop \Disconnect

Desktop \Default

Directory \KnownDlls

Directory \Windows

Directory \BaseNamedObjects

Event \BaseNamedObjects\AUTOENRL:TriggerMachineEnrollment

Event \BaseNamedObjects\crypt32LogoffEvent

Event \BaseNamedObjects\userenv: User Profile setup event

Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh

Needs Foreground Processing

Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done

Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event

Event \BaseNamedObjects\userenv: User Group Policy has been applied

Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

Foreground Processing

Event \BaseNamedObjects\userenv: User Group Policy Processing is done

Event \BaseNamedObjects\userenv: User Policy Foreground Done Event

Event \BaseNamedObjects\WinlogonTSSynchronizeEvent

Event \BaseNamedObjects\TS-WPAAE

Event \BaseNamedObjects\ReconEvent

Event \Security\NetworkProviderLoad

Event \BaseNamedObjects\AtiExtEventGSNotificationEvent

Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM

Event \BaseNamedObjects\hardwaremixercallback

Event \BaseNamedObjects\WFP_IDLE_TRIGGER

Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started

Event \BaseNamedObjects\msgina: ReturnToWelcome

Event \BaseNamedObjects\ThemesStartEvent

Event \BaseNamedObjects\DINPUTWINMM

Event \BaseNamedObjects\winlogon: machine GPO Event 70406

Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

Event \BaseNamedObjects\userenv: machine policy refresh event

Event \BaseNamedObjects\userenv: machine policy force refresh event

Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh

Needs Foreground Processing

Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done

Event \BaseNamedObjects\AgentExistsEvent

Event \BaseNamedObjects\WkssvcToAgentStopEvent

Event \BaseNamedObjects\WkssvcToAgentStartEvent

Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0

Event \BaseNamedObjects\AgentToWkssvcEvent

Event \BaseNamedObjects\PCA_UnlockWksNotify

Event \BaseNamedObjects\PCA_LockWksNotify

Event \BaseNamedObjects\PCA_TAG_TEAM_0

Event \BaseNamedObjects\SENS Started Event

Event \BaseNamedObjects\userenv: user policy force refresh event

Event \BaseNamedObjects\userenv: User Group Policy has been applied

Event \BaseNamedObjects\userenv: User Group Policy Processing is done

Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

Foreground Processing

Event \BaseNamedObjects\userenv: user policy refresh event

Event \BaseNamedObjects\winlogon: User GPO Event 483671

Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

Event \BaseNamedObjects\AUTOENRL:TriggerUserEnrollment

Event \BaseNamedObjects\CscCacheInitCompleteEvent

Event \BaseNamedObjects\ShellReadyEvent

Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

Event \BaseNamedObjects\mixercallback

Event

\BaseNamedObjects\00000000000a359c_WlballoonKerberosNotificationEventName

File \Device\NamedPipe\TerminalServer\AutoReconnect

File

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

File \Device\KsecDD

File \Device\NamedPipe\InitShutdown

File C:\WINDOWS\system32\dllcache

File

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

File C:\WINDOWS\AppPatch

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\isapi\_vti_adm

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\_vti_bin\_vti_adm

File C:\WINDOWS\system32

File C:\WINDOWS\Help

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\isapi\_vti_aut

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\_vti_bin\_vti_aut

File C:\WINDOWS\system32\inetsrv

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\bin

File C:\WINDOWS\Fonts

File C:\WINDOWS\system32\drivers

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\servsupp

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\bots\vinavbar

File C:\Program Files\microsoft frontpage\version3.0\bin

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\_vti_bin

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\bin\1033

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\isapi

File C:\WINDOWS

File C:\Program Files\Common Files\Microsoft Shared\DAO

File C:\Program Files\Windows Media Player

File C:\Program Files\Common Files\System\msadc

File C:\Program Files\Common Files\System\ado

File C:\Program Files\Common Files\System\Ole DB

File C:\WINDOWS\inf

File C:\WINDOWS\system

File C:\WINDOWS\msagent

File C:\WINDOWS\msagent\intl

File C:\Program Files\MSN Gaming Zone\Windows

File C:\WINDOWS\PCHealth\HelpCtr\Binaries

File C:\Program Files\NetMeeting

File C:\WINDOWS\system32\drivers\disdn

File C:\WINDOWS\ime\CHTIME\Applets

File C:\WINDOWS\system32\wbem

File C:\WINDOWS\system32\IME\CINTLGNT

File C:\WINDOWS\system32\Com

File C:\WINDOWS\system32\Setup

File C:\WINDOWS\ime\IMJP8_1

File C:\Program Files\Common Files\Microsoft Shared\Triedit

File C:\Program Files\Windows NT

File C:\Program Files\Common Files\System

File C:\WINDOWS\system32\1033

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\admcgi\scripts

File C:\Program Files\Common Files\Microsoft Shared\web server

extensions\40\admisapi\scripts

File C:\WINDOWS\system32\usmt

File C:\WINDOWS\ime\IMKR6_1\Dicts

File C:\WINDOWS\system32\mui\0009

File C:\Program Files\Internet Explorer

File C:\WINDOWS\ime\IMJP8_1\APPLETS

File C:\WINDOWS\ime\IMKR6_1\Applets

File C:\WINDOWS\system32\xircom

File C:\Program Files\Internet Explorer\Connection Wizard

File C:\Program Files\Common Files\Microsoft Shared\MSInfo

File C:\WINDOWS\ime\IMKR6_1

File C:\WINDOWS\ime\SHARED

File C:\WINDOWS\system32\IME\PINTLGNT

File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033

File C:\WINDOWS\Resources\Themes\Luna

File C:\Program Files\Movie Maker

File C:\WINDOWS\ime

File C:\WINDOWS\srchasst

File C:\Program Files\Outlook Express

File C:\WINDOWS\system32\oobe

File C:\Program Files\Common Files\MSSoap\Binaries

File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033

File C:\WINDOWS\mui

File C:\WINDOWS\system32\npp

File C:\WINDOWS\ime\SHARED\RES

File C:\Program Files\Windows NT\Pinball

File C:\WINDOWS\ime\CHSIME\APPLETS

File C:\WINDOWS\system32\Restore

File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033

File C:\Program Files\Common Files\Microsoft Shared\Speech

File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

File C:\WINDOWS\system32\wbem\snmp

File C:\Program Files\Common Files\SpeechEngines\Microsoft

File C:\Program Files\Common Files\Microsoft Shared\Speech\1033

File C:\WINDOWS\PeerNet

File C:\WINDOWS\system32\spool\drivers\color

File C:\WINDOWS\system32\IME\TINTLGNT

File C:\WINDOWS\Help\Tours\mmTour

File C:\WINDOWS\PCHealth\UploadLB\Binaries

File C:\Program Files\Common Files\Microsoft Shared\VGX

File C:\WINDOWS\system32\wbem\xml

File C:\Program Files\Windows NT\Accessories

File C:\WINDOWS\system32\mui\0401

File C:\WINDOWS\system32\mui\0404

File C:\WINDOWS\system32\mui\0405

File C:\WINDOWS\system32\mui\0406

File C:\WINDOWS\system32\mui\0407

File C:\WINDOWS\system32\mui\0408

File C:\WINDOWS\system32\mui\040b

File C:\WINDOWS\system32\mui\040C

File C:\WINDOWS\system32\mui\040D

File C:\WINDOWS\system32\mui\040e

File C:\WINDOWS\system32\mui\0410

File C:\WINDOWS\system32\mui\0411

File C:\WINDOWS\system32\mui\0412

File C:\WINDOWS\system32\mui\0413

File C:\WINDOWS\system32\mui\0414

File C:\WINDOWS\system32\mui\0415

File C:\WINDOWS\system32\mui\0416

File C:\WINDOWS\system32\mui\0419

File C:\WINDOWS\system32\mui\041b

File C:\WINDOWS\system32\mui\041D

File C:\WINDOWS\system32\mui\041f

File C:\WINDOWS\system32\mui\0424

File C:\WINDOWS\system32\mui\0804

File C:\WINDOWS\system32\mui\0816

File C:\WINDOWS\system32\mui\0C0A

File C:\WINDOWS\system32\mui\0402

File C:\WINDOWS\system32\mui\0418

File C:\WINDOWS\system32\mui\041a

File C:\WINDOWS\system32\mui\041e

File C:\WINDOWS\system32\mui\0425

File C:\WINDOWS\system32\mui\0426

File C:\WINDOWS\system32\mui\0427

File C:\Program Files\xerox\nwwia

File C:\WINDOWS\WinSxS

File \Device\NamedPipe\SfcApi

File \Device\Tcp

File \Device\Ip

File \Device\Afd\Endpoint

File \Device\Udp

File \Device\Afd\AsyncConnectHlp

File

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

File \Device\LanmanRedirector

File \Device\NamedPipe\winlogonrpc

File

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

File \Device\NamedPipe\winlogonrpc

File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}

File C:\WINDOWS\system32

Key HKCR

Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale

Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts

Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups

Key HKCR

Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9

Key

HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5

Key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain

Key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet

Key HKCR\CLSID

Key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy

Key HKLM\SYSTEM\ControlSet001\Control\Lsa

Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Key HKLM\SYSTEM\Setup

Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

Key HKU

Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

Key HKU

Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage

Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces

Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters

Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Key HKLM

Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

Key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\WgaLogon

Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache

Key HKCU

Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam

Key HKU\.DEFAULT

Key HKCR

Key HKLM\SOFTWARE\Microsoft\COM3

Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Key HKLM\SOFTWARE\Microsoft\COM3

Key HKU

Key HKLM\SOFTWARE\Microsoft\COM3

Key HKCR

Key HKLM\SOFTWARE\Microsoft\COM3

Key HKCR

Key HKCR\CLSID

Key HKCR

KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent

Mutant \BaseNamedObjects\userenv: machine policy mutex

Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex

Mutant \BaseNamedObjects\userenv: user policy mutex

Mutant \BaseNamedObjects\userenv: User Registry policy mutex

Mutant \BaseNamedObjects\SingleSesMutex

Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex

Mutant \BaseNamedObjects\ShimCacheMutex

Mutant \BaseNamedObjects\WPA_PR_MUTEX

Mutant \BaseNamedObjects\WPA_RT_MUTEX

Mutant \BaseNamedObjects\WPA_LT_MUTEX

Mutant \BaseNamedObjects\WPA_HWID_MUTEX

Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX

Port \RPC Control\sclogonrpc

Port \RPC Control\IUserProfile

Port \RPC Control\OLE273DB90569D049E7BB5A549E0AAA

Process services.exe(1280)

Process lsass.exe(1292)

Section \BaseNamedObjects\ShimSharedMemory

Section \BaseNamedObjects\Debug.Memory.4d4

Section \BaseNamedObjects\WDMAUD_Callbacks

Section \BaseNamedObjects\mmGlobalPnpInfo

Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}

Thread winlogon.exe(1236): 1240

Thread winlogon.exe(1236): 1644

Thread winlogon.exe(1236): 3668

Thread winlogon.exe(1236): 1240

Thread winlogon.exe(1236): 1260

Thread winlogon.exe(1236): 2404

Thread winlogon.exe(1236): 1268

Thread winlogon.exe(1236): 1276

Thread winlogon.exe(1236): 1288

Thread winlogon.exe(1236): 1380

Thread winlogon.exe(1236): 1384

Thread winlogon.exe(1236): 1388

Thread winlogon.exe(1236): 1420

Thread winlogon.exe(1236): 1524

Thread winlogon.exe(1236): 2448

Thread winlogon.exe(1236): 2212

Thread winlogon.exe(1236): 1272

Thread winlogon.exe(1236): 2208

Thread winlogon.exe(1236): 2004

Thread winlogon.exe(1236): 1644

Thread winlogon.exe(1236): 2212

Thread winlogon.exe(1236): 3516

Thread winlogon.exe(1236): 2220

Thread winlogon.exe(1236): 1644

Thread winlogon.exe(1236): 2220

Thread winlogon.exe(1236): 2140

Thread winlogon.exe(1236): 2676

Thread winlogon.exe(1236): 1644

Thread winlogon.exe(1236): 2404

Thread winlogon.exe(1236): 2216

Thread winlogon.exe(1236): 2404

Thread winlogon.exe(1236): 3216

Thread winlogon.exe(1236): 328

Thread winlogon.exe(1236): 2404

Thread winlogon.exe(1236): 3492

Timer \BaseNamedObjects\userenv: refresh timer for 1236:1644

Timer \BaseNamedObjects\AUTOENRL:MachineEnrollmentTimer

Timer \BaseNamedObjects\userenv: refresh timer for 1236:2404

Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentShellTimer

Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentTimer

Token domain\phil:a359c

Token NT AUTHORITY\NETWORK SERVICE:3e4

Token NT AUTHORITY\SYSTEM:3e7

Token domain\phil:a359c

Token NT AUTHORITY\SYSTEM:3e7

WindowStation \Windows\WindowStations\WinSta0

WindowStation \Windows\WindowStations\WinSta0n

Is there a fix for this or a way to calm winlogon.exe down? It doesn't

seem to matter how long my session uptime is either since this was only

three days old.

Thank you in advance. :)

--

Phillip Pi

Senior Software Quality Assurance Analyst

ISP/Symantec Online Services, Consumer Business Unit

Symantec Corporation

http://www.symantec.com

-----------------------------------------------------

Email: phillip_pi@symantec.comSYMC (remove SYMC to reply by e-mail)

-----------------------------------------------------

Please do NOT e-mail me for technical support. DISCLAIMER: The views

expressed in this posting are mine, and do not necessarily reflect the

views of my employer. Thank you.

July 11, 2008

Re: Once in a while, winlogon.exe will hog CPU and makes my Windows unresponsive.

"Endpoint Protection" Symantec CMC - Why are you using this?

If not necessary for daily use try disabling it.

JS

"Phillip Pi" <phillip_pi@symantec.comSYMC> wrote in message

news:%23V$CLQ54IHA.1428@TK2MSFTNGP06.phx.gbl...

> Hello.

>

> I have a strange rare and annoying Windows XP Pro. SP2 (IE6.0 SP2; all

> critical updates and optional softwares for SP2) issue that had been

> around for three years or so, and I can't figure out what's going on.

>

> Once in a while (very rare -- maybe once every one/two months?), I

> winlogon.exe decides to go nuts and take one of my CPU (have a dual core

> Intel P4 Prescott machine). From there, softwares don't respond and some

> can't be shut down (e.g., SeaMonkey.exe, Trillian.exe, Outlook.exe) even

> if I force end task. When I try to shut down Windows to reboot, it gets

> stuck forever and I need to do a force shut down on the power switch on

> the Dell Optiplex GX280 case.

>

> I tried viewing Process Explorer, Process Monitor, event logs, services

> via cmd.exe (administrative method freezes/doesn't respond), etc. and

> found nothing interesting. Here are the Process Explorer exports:

>

> From Process Explorer v11.20:

>

> Process PID Description CPU Company Name

> System Idle Process 0 39.13 Interrupts n/a Hardware Interrupts DPCs n/a

> Deferred Procedure Calls System 4 smss.exe 1160 Windows NT Session Manager

> Microsoft Corporation

> csrss.exe 1208 Client Server Runtime Process Microsoft Corporation

> winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft

> Corporation

> services.exe 1280 Services and Controller app 0.72 Microsoft

> Corporation

> svchost.exe 1480 Generic Host Process for Win32 Services Microsoft

> Corporation

> svchost.exe 1536 Generic Host Process for Win32 Services Microsoft

> Corporation

> svchost.exe 456 Generic Host Process for Win32 Services Microsoft

> Corporation

> Smc.exe 724 Symantec CMC Smc 0.72 Symantec Corporation

> SmcGui.exe 2168 Symantec CMC SmcGui 4.35 Symantec Corporation

> svchost.exe 780 Generic Host Process for Win32 Services Microsoft

> Corporation

> svchost.exe 892 Generic Host Process for Win32 Services Microsoft

> Corporation

> SNAC.EXE 904 Symantec Network Access Control 0.72 Symantec

> Corporation

> ccSvcHst.exe 1968 Symantec Service Framework Symantec Corporation

> spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation

> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

> Symantec Corporation

> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

> NMSAccess.exe 968 p4ps.exe 1084 P4Webs.exe 1648 spkrmon.exe 1676

> SoundMAX SpeakerMonitor service Rtvscan.exe 1664 Symantec AntiVirus

> Symantec Corporation

> vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.

> vmount2.exe 2704 virtual disk mount service VMware, Inc.

> vmnat.exe 2904 VMware NAT Service VMware, Inc.

> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.

> alg.exe 2996 Application Layer Gateway Service Microsoft Corporation

> lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation

> explorer.exe 3228 Windows Explorer Microsoft Corporation

> TaskSwitch.exe 3660 ccApp.exe 3100 Symantec User Session Symantec

> Corporation

> trillian.exe 1700 Trillian Cerulean Studios

> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation

> seamonkey.exe 1012 SeaMonkey mozilla.org

> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

> procexp.exe 3392 Sysinternals Process Explorer 4.35 Sysinternals -

> http://www.sysinternals.com

>

> Process: winlogon.exe Pid: 1236

>

> Name Description Company Name Version

> ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.01.2600.2180

> adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.01.2600.2180

> ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation

> 5.01.2600.2180

> Apphelp.dll Application Compatibility Client Library Microsoft Corporation

> 5.01.2600.2180

> Ati2evxx.dll ATI External Event Utility DLL Module ATI Technologies Inc.

> 6.14.0010.4123

> ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation

> 3.05.2284.0000

> AUTHZ.dll Authorization Framework Microsoft Corporation 5.01.2600.2622

> Cabinet.dll Microsoft® Cabinet File API Microsoft Corporation

> 5.01.2600.2180

> CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308

> COMCTL32.dll Common Controls Library Microsoft Corporation 5.82.2900.2982

> comctl32.dll User Experience Controls Library Microsoft Corporation

> 6.00.2900.2982

> comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180

> COMRes.dll Microsoft Corporation 2001.12.4414.0258

> CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180

> cryptdll.dll Cryptography Manager Microsoft Corporation 5.01.2600.2180

> cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180

> cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180

> ctype.nls DNSAPI.dll DNS Client API DLL Microsoft Corporation

> 5.01.2600.3394

> fastprox.dll WMI Microsoft Corporation 5.01.2600.2180

> GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316

> hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation

> 5.01.2600.2180

> icmp.dll ICMP DLL Microsoft Corporation 5.01.2600.2180

> IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180

> IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation

> 5.01.2600.2180

> iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912

> kerberos.dll Kerberos Security Package Microsoft Corporation

> 5.01.2600.2698

> kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation

> 5.01.2600.3119

> locale.nls LPK.DLL Language Pack Microsoft Corporation 5.01.2600.2180

> midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180

> MPR.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180

> MPRAPI.dll Windows NT MP Router Administration DLL Microsoft Corporation

> 5.01.2600.2180

> MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation

> 5.01.2600.2180

> msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000

> MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180

> msctfime.ime Microsoft Text Frame Work Service IME Microsoft Corporation

> 5.01.2600.2180

> MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180

> msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation

> 5.01.2600.2180

> MSVCP60.dll Microsoft ® C++ Runtime Library Microsoft Corporation

> 6.02.3104.0000

> MSVCR70.dll Microsoft® C Runtime Library Microsoft Corporation

> 7.00.9466.0000

> msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.3085

> mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft

> Corporation 5.01.2600.3394

> msxml3.dll MSXML 3.0 SP9 Microsoft Corporation 8.90.1101.0000

> msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001

> NavLogon.dll Symantec AntiVirus Logon Notification Symantec Corporation

> 10.01.0000.0401

> NDdeApi.dll Network DDE Share Management APIs Microsoft Corporation

> 5.01.2600.2180

> NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976

> ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180

> NTDSAPI.DLL NT5DS Microsoft Corporation 5.01.2600.2180

> NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180

> ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft

> Corporation 3.525.1117.0000

> odbcint.dll Microsoft Data Access - ODBC Resources Microsoft Corporation

> 3.525.1117.0000

> ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726

> OLEAUT32.dll Microsoft Corporation 5.01.2600.3266

> PCANotify.dll Winlogon Notification package Symantec Corporation

> 11.00.0001.0764

> PROFMAP.dll Userenv Microsoft Corporation 5.01.2600.2180

> PSAPI.DLL Process Status Helper Microsoft Corporation 5.01.2600.2180

> REGAPI.dll Registry Configuration APIs Microsoft Corporation

> 5.01.2600.2180

> RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation

> 5.01.2600.3173

> rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation

> 5.01.2600.2161

> rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180

> SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180

> SASWINLO.dll SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com

> 1.00.0000.1046

> Secur32.dll Security Support Provider Interface Microsoft Corporation

> 5.01.2600.2180

> SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180

> sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180

> sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180

> SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241

> SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation

> 6.00.2900.3354

> SHSVCS.dll Windows Shell Services Dll Microsoft Corporation 6.00.2900.3051

> sortkey.nls sorttbls.nls sxs.dll Fusion 2.5 Microsoft Corporation

> 5.01.2600.3019

> unicode.nls USER32.dll Windows XP USER API Client DLL Microsoft

> Corporation 5.01.2600.3099

> USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180

> USP10.dll Uniscribe Unicode script processor Microsoft Corporation

> 1.420.2600.2180

> uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180

> VERSION.dll Version Checking and File Installation Libraries Microsoft

> Corporation 5.01.2600.2180

> wbemcomn.dll WMI Microsoft Corporation 5.01.2600.2180

> wbemprox.dll WMI Microsoft Corporation 5.01.2600.2180

> wbemsvc.dll WMI Microsoft Corporation 5.01.2600.2180

> wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180

> WgaLogon.dll Windows Genuine Advantage Notification Microsoft Corporation

> 1.07.0018.0007

> WININET.dll Internet Extensions for Win32 Microsoft Corporation

> 6.00.2900.3354

> winlogon.exe Windows NT Logon Application Microsoft Corporation

> 5.01.2600.2180

> WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180

> WINSCARD.DLL Microsoft Smart Card API Microsoft Corporation 5.01.2600.2180

> WINSPOOL.DRV Windows Spooler Driver Microsoft Corporation 5.01.2600.2180

> WINSTA.dll Winstation Library Microsoft Corporation 5.01.2600.2180

> WINTRUST.dll Microsoft Trust Verification APIs Microsoft Corporation

> 5.131.2600.2180

> WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180

> WlNotify.dll Common DLL to receive Winlogon notifications Microsoft

> Corporation 5.01.2600.2180

> WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation

> 5.01.2600.2180

> WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation

> 5.01.2600.2180

> wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation

> 5.01.2600.2180

> wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180

> WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation

> 5.01.2600.2180

> xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180

>

> --

>

> Process PID Description CPU Company Name

> System Idle Process 0 41.18 Interrupts n/a Hardware Interrupts DPCs n/a

> Deferred Procedure Calls System 4 smss.exe 1160 Windows NT Session Manager

> Microsoft Corporation

> csrss.exe 1208 Client Server Runtime Process Microsoft Corporation

> winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft

> Corporation

> services.exe 1280 Services and Controller app 0.74 Microsoft

> Corporation

> svchost.exe 1480 Generic Host Process for Win32 Services 0.74

> Microsoft Corporation

> svchost.exe 1536 Generic Host Process for Win32 Services Microsoft

> Corporation

> svchost.exe 456 Generic Host Process for Win32 Services Microsoft

> Corporation

> Smc.exe 724 Symantec CMC Smc 0.74 Symantec Corporation

> SmcGui.exe 2168 Symantec CMC SmcGui 2.94 Symantec Corporation

> svchost.exe 780 Generic Host Process for Win32 Services Microsoft

> Corporation

> svchost.exe 892 Generic Host Process for Win32 Services Microsoft

> Corporation

> SNAC.EXE 904 Symantec Network Access Control Symantec Corporation

> ccSvcHst.exe 1968 Symantec Service Framework 0.74 Symantec

> Corporation

> spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation

> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

> Symantec Corporation

> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

> NMSAccess.exe 968 p4ps.exe 1084 P4Webs.exe 1648 spkrmon.exe 1676

> SoundMAX SpeakerMonitor service Rtvscan.exe 1664 Symantec AntiVirus

> Symantec Corporation

> vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.

> vmount2.exe 2704 virtual disk mount service VMware, Inc.

> vmnat.exe 2904 VMware NAT Service VMware, Inc.

> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.

> alg.exe 2996 Application Layer Gateway Service Microsoft Corporation

> lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation

> explorer.exe 3228 Windows Explorer Microsoft Corporation

> TaskSwitch.exe 3660 ccApp.exe 3100 Symantec User Session Symantec

> Corporation

> trillian.exe 1700 Trillian Cerulean Studios

> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation

> seamonkey.exe 1012 SeaMonkey mozilla.org

> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

> procexp.exe 3392 Sysinternals Process Explorer 2.94 Sysinternals -

> http://www.sysinternals.com

>

> Process: winlogon.exe Pid: 1236

>

> Type Name

> Desktop \Winlogon

> Desktop \Disconnect

> Desktop \Default

> Directory \KnownDlls

> Directory \Windows

> Directory \BaseNamedObjects

> Event \BaseNamedObjects\AUTOENRL:TriggerMachineEnrollment

> Event \BaseNamedObjects\crypt32LogoffEvent

> Event \BaseNamedObjects\userenv: User Profile setup event

> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh Needs

> Foreground Processing

> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done

> Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event

> Event \BaseNamedObjects\userenv: User Group Policy has been applied

> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

> Foreground Processing

> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

> Event \BaseNamedObjects\userenv: User Policy Foreground Done Event

> Event \BaseNamedObjects\WinlogonTSSynchronizeEvent

> Event \BaseNamedObjects\TS-WPAAE

> Event \BaseNamedObjects\ReconEvent

> Event \Security\NetworkProviderLoad

> Event \BaseNamedObjects\AtiExtEventGSNotificationEvent

> Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM

> Event \BaseNamedObjects\hardwaremixercallback

> Event \BaseNamedObjects\WFP_IDLE_TRIGGER

> Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started

> Event \BaseNamedObjects\msgina: ReturnToWelcome

> Event \BaseNamedObjects\ThemesStartEvent

> Event \BaseNamedObjects\DINPUTWINMM

> Event \BaseNamedObjects\winlogon: machine GPO Event 70406

> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

> Event \BaseNamedObjects\userenv: machine policy refresh event

> Event \BaseNamedObjects\userenv: machine policy force refresh event

> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh Needs

> Foreground Processing

> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done

> Event \BaseNamedObjects\AgentExistsEvent

> Event \BaseNamedObjects\WkssvcToAgentStopEvent

> Event \BaseNamedObjects\WkssvcToAgentStartEvent

> Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0

> Event \BaseNamedObjects\AgentToWkssvcEvent

> Event \BaseNamedObjects\PCA_UnlockWksNotify

> Event \BaseNamedObjects\PCA_LockWksNotify

> Event \BaseNamedObjects\PCA_TAG_TEAM_0

> Event \BaseNamedObjects\SENS Started Event

> Event \BaseNamedObjects\userenv: user policy force refresh event

> Event \BaseNamedObjects\userenv: User Group Policy has been applied

> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

> Foreground Processing

> Event \BaseNamedObjects\userenv: user policy refresh event

> Event \BaseNamedObjects\winlogon: User GPO Event 483671

> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

> Event \BaseNamedObjects\AUTOENRL:TriggerUserEnrollment

> Event \BaseNamedObjects\CscCacheInitCompleteEvent

> Event \BaseNamedObjects\ShellReadyEvent

> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

> Event \BaseNamedObjects\mixercallback

> Event

> \BaseNamedObjects\00000000000a359c_WlballoonKerberosNotificationEventName

> File \Device\NamedPipe\TerminalServer\AutoReconnect

> File

> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

> File \Device\KsecDD

> File \Device\NamedPipe\InitShutdown

> File C:\WINDOWS\system32\dllcache

> File

> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

> File C:\WINDOWS\AppPatch

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\isapi\_vti_adm

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\_vti_bin\_vti_adm

> File C:\WINDOWS\system32

> File C:\WINDOWS\Help

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\isapi\_vti_aut

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\_vti_bin\_vti_aut

> File C:\WINDOWS\system32\inetsrv

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\bin

> File C:\WINDOWS\Fonts

> File C:\WINDOWS\system32\drivers

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\servsupp

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\bots\vinavbar

> File C:\Program Files\microsoft frontpage\version3.0\bin

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\_vti_bin

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\bin\1033

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\isapi

> File C:\WINDOWS

> File C:\Program Files\Common Files\Microsoft Shared\DAO

> File C:\Program Files\Windows Media Player

> File C:\Program Files\Common Files\System\msadc

> File C:\Program Files\Common Files\System\ado

> File C:\Program Files\Common Files\System\Ole DB

> File C:\WINDOWS\inf

> File C:\WINDOWS\system

> File C:\WINDOWS\msagent

> File C:\WINDOWS\msagent\intl

> File C:\Program Files\MSN Gaming Zone\Windows

> File C:\WINDOWS\PCHealth\HelpCtr\Binaries

> File C:\Program Files\NetMeeting

> File C:\WINDOWS\system32\drivers\disdn

> File C:\WINDOWS\ime\CHTIME\Applets

> File C:\WINDOWS\system32\wbem

> File C:\WINDOWS\system32\IME\CINTLGNT

> File C:\WINDOWS\system32\Com

> File C:\WINDOWS\system32\Setup

> File C:\WINDOWS\ime\IMJP8_1

> File C:\Program Files\Common Files\Microsoft Shared\Triedit

> File C:\Program Files\Windows NT

> File C:\Program Files\Common Files\System

> File C:\WINDOWS\system32\1033

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\admcgi\scripts

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\admisapi\scripts

> File C:\WINDOWS\system32\usmt

> File C:\WINDOWS\ime\IMKR6_1\Dicts

> File C:\WINDOWS\system32\mui\0009

> File C:\Program Files\Internet Explorer

> File C:\WINDOWS\ime\IMJP8_1\APPLETS

> File C:\WINDOWS\ime\IMKR6_1\Applets

> File C:\WINDOWS\system32\xircom

> File C:\Program Files\Internet Explorer\Connection Wizard

> File C:\Program Files\Common Files\Microsoft Shared\MSInfo

> File C:\WINDOWS\ime\IMKR6_1

> File C:\WINDOWS\ime\SHARED

> File C:\WINDOWS\system32\IME\PINTLGNT

> File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033

> File C:\WINDOWS\Resources\Themes\Luna

> File C:\Program Files\Movie Maker

> File C:\WINDOWS\ime

> File C:\WINDOWS\srchasst

> File C:\Program Files\Outlook Express

> File C:\WINDOWS\system32\oobe

> File C:\Program Files\Common Files\MSSoap\Binaries

> File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033

> File C:\WINDOWS\mui

> File C:\WINDOWS\system32\npp

> File C:\WINDOWS\ime\SHARED\RES

> File C:\Program Files\Windows NT\Pinball

> File C:\WINDOWS\ime\CHSIME\APPLETS

> File C:\WINDOWS\system32\Restore

> File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033

> File C:\Program Files\Common Files\Microsoft Shared\Speech

> File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

> File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

> File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

> File C:\WINDOWS\system32\wbem\snmp

> File C:\Program Files\Common Files\SpeechEngines\Microsoft

> File C:\Program Files\Common Files\Microsoft Shared\Speech\1033

> File C:\WINDOWS\PeerNet

> File C:\WINDOWS\system32\spool\drivers\color

> File C:\WINDOWS\system32\IME\TINTLGNT

> File C:\WINDOWS\Help\Tours\mmTour

> File C:\WINDOWS\PCHealth\UploadLB\Binaries

> File C:\Program Files\Common Files\Microsoft Shared\VGX

> File C:\WINDOWS\system32\wbem\xml

> File C:\Program Files\Windows NT\Accessories

> File C:\WINDOWS\system32\mui\0401

> File C:\WINDOWS\system32\mui\0404

> File C:\WINDOWS\system32\mui\0405

> File C:\WINDOWS\system32\mui\0406

> File C:\WINDOWS\system32\mui\0407

> File C:\WINDOWS\system32\mui\0408

> File C:\WINDOWS\system32\mui\040b

> File C:\WINDOWS\system32\mui\040C

> File C:\WINDOWS\system32\mui\040D

> File C:\WINDOWS\system32\mui\040e

> File C:\WINDOWS\system32\mui\0410

> File C:\WINDOWS\system32\mui\0411

> File C:\WINDOWS\system32\mui\0412

> File C:\WINDOWS\system32\mui\0413

> File C:\WINDOWS\system32\mui\0414

> File C:\WINDOWS\system32\mui\0415

> File C:\WINDOWS\system32\mui\0416

> File C:\WINDOWS\system32\mui\0419

> File C:\WINDOWS\system32\mui\041b

> File C:\WINDOWS\system32\mui\041D

> File C:\WINDOWS\system32\mui\041f

> File C:\WINDOWS\system32\mui\0424

> File C:\WINDOWS\system32\mui\0804

> File C:\WINDOWS\system32\mui\0816

> File C:\WINDOWS\system32\mui\0C0A

> File C:\WINDOWS\system32\mui\0402

> File C:\WINDOWS\system32\mui\0418

> File C:\WINDOWS\system32\mui\041a

> File C:\WINDOWS\system32\mui\041e

> File C:\WINDOWS\system32\mui\0425

> File C:\WINDOWS\system32\mui\0426

> File C:\WINDOWS\system32\mui\0427

> File C:\Program Files\xerox\nwwia

> File C:\WINDOWS\WinSxS

> File \Device\NamedPipe\SfcApi

> File \Device\Tcp

> File \Device\Ip

> File \Device\Afd\Endpoint

> File \Device\Udp

> File \Device\Afd\AsyncConnectHlp

> File

> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

> File \Device\LanmanRedirector

> File \Device\NamedPipe\winlogonrpc

> File

> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

> File \Device\NamedPipe\winlogonrpc

> File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}

> File C:\WINDOWS\system32

> Key HKCR

> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale

> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts

> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups

> Key HKCR

> Key

> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9

> Key

> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Notify\crypt32chain

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Notify\cryptnet

> Key HKCR\CLSID

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Notify\sclgntfy

> Key HKLM\SYSTEM\ControlSet001\Control\Lsa

> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

> Key HKLM\SYSTEM\Setup

> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

> Key HKU

> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

> Key HKU

> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage

> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces

> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters

> Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet

> Settings

> Key HKLM

> Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Notify\WgaLogon

> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache

> Key HKCU

> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam

> Key HKU\.DEFAULT

> Key HKCR

> Key HKLM\SOFTWARE\Microsoft\COM3

> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

> Key HKLM\SOFTWARE\Microsoft\COM3

> Key HKU

> Key HKLM\SOFTWARE\Microsoft\COM3

> Key HKCR

> Key HKLM\SOFTWARE\Microsoft\COM3

> Key HKCR

> Key HKCR\CLSID

> Key HKCR

> KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent

> Mutant \BaseNamedObjects\userenv: machine policy mutex

> Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex

> Mutant \BaseNamedObjects\userenv: user policy mutex

> Mutant \BaseNamedObjects\userenv: User Registry policy mutex

> Mutant \BaseNamedObjects\SingleSesMutex

> Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex

> Mutant \BaseNamedObjects\ShimCacheMutex

> Mutant \BaseNamedObjects\WPA_PR_MUTEX

> Mutant \BaseNamedObjects\WPA_RT_MUTEX

> Mutant \BaseNamedObjects\WPA_LT_MUTEX

> Mutant \BaseNamedObjects\WPA_HWID_MUTEX

> Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX

> Port \RPC Control\sclogonrpc

> Port \RPC Control\IUserProfile

> Port \RPC Control\OLE273DB90569D049E7BB5A549E0AAA

> Process services.exe(1280)

> Process lsass.exe(1292)

> Section \BaseNamedObjects\ShimSharedMemory

> Section \BaseNamedObjects\Debug.Memory.4d4

> Section \BaseNamedObjects\WDMAUD_Callbacks

> Section \BaseNamedObjects\mmGlobalPnpInfo

> Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

> Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}

> Thread winlogon.exe(1236): 1240

> Thread winlogon.exe(1236): 1644

> Thread winlogon.exe(1236): 3668

> Thread winlogon.exe(1236): 1240

> Thread winlogon.exe(1236): 1260

> Thread winlogon.exe(1236): 2404

> Thread winlogon.exe(1236): 1268

> Thread winlogon.exe(1236): 1276

> Thread winlogon.exe(1236): 1288

> Thread winlogon.exe(1236): 1380

> Thread winlogon.exe(1236): 1384

> Thread winlogon.exe(1236): 1388

> Thread winlogon.exe(1236): 1420

> Thread winlogon.exe(1236): 1524

> Thread winlogon.exe(1236): 2448

> Thread winlogon.exe(1236): 2212

> Thread winlogon.exe(1236): 1272

> Thread winlogon.exe(1236): 2208

> Thread winlogon.exe(1236): 2004

> Thread winlogon.exe(1236): 1644

> Thread winlogon.exe(1236): 2212

> Thread winlogon.exe(1236): 3516

> Thread winlogon.exe(1236): 2220

> Thread winlogon.exe(1236): 1644

> Thread winlogon.exe(1236): 2220

> Thread winlogon.exe(1236): 2140

> Thread winlogon.exe(1236): 2676

> Thread winlogon.exe(1236): 1644

> Thread winlogon.exe(1236): 2404

> Thread winlogon.exe(1236): 2216

> Thread winlogon.exe(1236): 2404

> Thread winlogon.exe(1236): 3216

> Thread winlogon.exe(1236): 328

> Thread winlogon.exe(1236): 2404

> Thread winlogon.exe(1236): 3492

> Timer \BaseNamedObjects\userenv: refresh timer for 1236:1644

> Timer \BaseNamedObjects\AUTOENRL:MachineEnrollmentTimer

> Timer \BaseNamedObjects\userenv: refresh timer for 1236:2404

> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentShellTimer

> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentTimer

> Token domain\phil:a359c

> Token NT AUTHORITY\NETWORK SERVICE:3e4

> Token NT AUTHORITY\SYSTEM:3e7

> Token domain\phil:a359c

> Token NT AUTHORITY\SYSTEM:3e7

> WindowStation \Windows\WindowStations\WinSta0

> WindowStation \Windows\WindowStations\WinSta0n

>

> Is there a fix for this or a way to calm winlogon.exe down? It doesn't

> seem to matter how long my session uptime is either since this was only

> three days old.

>

> Thank you in advance. :)

> --

> Phillip Pi

> Senior Software Quality Assurance Analyst

> ISP/Symantec Online Services, Consumer Business Unit

> Symantec Corporation

> http://www.symantec.com

> -----------------------------------------------------

> Email: phillip_pi@symantec.comSYMC (remove SYMC to reply by e-mail)

> -----------------------------------------------------

> Please do NOT e-mail me for technical support. DISCLAIMER: The views

> expressed in this posting are mine, and do not necessarily reflect the

> views of my employer. Thank you.

July 12, 2008

Re: Once in a while, winlogon.exe will hog CPU and makes my Windowsunresponsive.

Re: Once in a while, winlogon.exe will hog CPU and makes my Windowsunresponsive.

IT requires everyone to use it. I had Symantec Client Security (SCS) in

the past before SEP, and still had those rare winlogon.exe going nuts so

it is not by SEP.

On 7/11/2008 2:04 PM PT, JS wrote:

> "Endpoint Protection" Symantec CMC - Why are you using this?

> If not necessary for daily use try disabling it.

>

> JS

>

> "Phillip Pi" <phillip_pi@symantec.comSYMC> wrote in message

> news:%23V$CLQ54IHA.1428@TK2MSFTNGP06.phx.gbl...

>> Hello.

>>

>> I have a strange rare and annoying Windows XP Pro. SP2 (IE6.0 SP2; all

>> critical updates and optional softwares for SP2) issue that had been

>> around for three years or so, and I can't figure out what's going on.

>>

>> Once in a while (very rare -- maybe once every one/two months?), I

>> winlogon.exe decides to go nuts and take one of my CPU (have a dual core

>> Intel P4 Prescott machine). From there, softwares don't respond and some

>> can't be shut down (e.g., SeaMonkey.exe, Trillian.exe, Outlook.exe) even

>> if I force end task. When I try to shut down Windows to reboot, it gets

>> stuck forever and I need to do a force shut down on the power switch on

>> the Dell Optiplex GX280 case.

>>

>> I tried viewing Process Explorer, Process Monitor, event logs, services

>> via cmd.exe (administrative method freezes/doesn't respond), etc. and

>> found nothing interesting. Here are the Process Explorer exports:

>>

>> From Process Explorer v11.20:

>>

>> Process PID Description CPU Company Name

>> System Idle Process 0 39.13 Interrupts n/a Hardware Interrupts DPCs n/a

>> Deferred Procedure Calls System 4 smss.exe 1160 Windows NT Session Manager

>> Microsoft Corporation

>> csrss.exe 1208 Client Server Runtime Process Microsoft Corporation

>> winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft

>> Corporation

>> services.exe 1280 Services and Controller app 0.72 Microsoft

>> Corporation

>> svchost.exe 1480 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> svchost.exe 1536 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> svchost.exe 456 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> Smc.exe 724 Symantec CMC Smc 0.72 Symantec Corporation

>> SmcGui.exe 2168 Symantec CMC SmcGui 4.35 Symantec Corporation

>> svchost.exe 780 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> svchost.exe 892 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> SNAC.EXE 904 Symantec Network Access Control 0.72 Symantec

>> Corporation

>> ccSvcHst.exe 1968 Symantec Service Framework Symantec Corporation

>> spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation

>> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

>> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

>> Symantec Corporation

>> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

>> NMSAccess.exe 968 p4ps.exe 1084 P4Webs.exe 1648 spkrmon.exe 1676

>> SoundMAX SpeakerMonitor service Rtvscan.exe 1664 Symantec AntiVirus

>> Symantec Corporation

>> vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.

>> vmount2.exe 2704 virtual disk mount service VMware, Inc.

>> vmnat.exe 2904 VMware NAT Service VMware, Inc.

>> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.

>> alg.exe 2996 Application Layer Gateway Service Microsoft Corporation

>> lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation

>> explorer.exe 3228 Windows Explorer Microsoft Corporation

>> TaskSwitch.exe 3660 ccApp.exe 3100 Symantec User Session Symantec

>> Corporation

>> trillian.exe 1700 Trillian Cerulean Studios

>> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation

>> seamonkey.exe 1012 SeaMonkey mozilla.org

>> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

>> procexp.exe 3392 Sysinternals Process Explorer 4.35 Sysinternals -

>> http://www.sysinternals.com

>>

>> Process: winlogon.exe Pid: 1236

>>

>> Name Description Company Name Version

>> ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.01.2600.2180

>> adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.01.2600.2180

>> ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation

>> 5.01.2600.2180

>> Apphelp.dll Application Compatibility Client Library Microsoft Corporation

>> 5.01.2600.2180

>> Ati2evxx.dll ATI External Event Utility DLL Module ATI Technologies Inc.

>> 6.14.0010.4123

>> ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation

>> 3.05.2284.0000

>> AUTHZ.dll Authorization Framework Microsoft Corporation 5.01.2600.2622

>> Cabinet.dll Microsoft® Cabinet File API Microsoft Corporation

>> 5.01.2600.2180

>> CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308

>> COMCTL32.dll Common Controls Library Microsoft Corporation 5.82.2900.2982

>> comctl32.dll User Experience Controls Library Microsoft Corporation

>> 6.00.2900.2982

>> comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180

>> COMRes.dll Microsoft Corporation 2001.12.4414.0258

>> CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180

>> cryptdll.dll Cryptography Manager Microsoft Corporation 5.01.2600.2180

>> cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180

>> cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180

>> ctype.nls DNSAPI.dll DNS Client API DLL Microsoft Corporation

>> 5.01.2600.3394

>> fastprox.dll WMI Microsoft Corporation 5.01.2600.2180

>> GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316

>> hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation

>> 5.01.2600.2180

>> icmp.dll ICMP DLL Microsoft Corporation 5.01.2600.2180

>> IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180

>> IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation

>> 5.01.2600.2180

>> iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912

>> kerberos.dll Kerberos Security Package Microsoft Corporation

>> 5.01.2600.2698

>> kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation

>> 5.01.2600.3119

>> locale.nls LPK.DLL Language Pack Microsoft Corporation 5.01.2600.2180

>> midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180

>> MPR.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180

>> MPRAPI.dll Windows NT MP Router Administration DLL Microsoft Corporation

>> 5.01.2600.2180

>> MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation

>> 5.01.2600.2180

>> msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000

>> MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180

>> msctfime.ime Microsoft Text Frame Work Service IME Microsoft Corporation

>> 5.01.2600.2180

>> MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180

>> msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation

>> 5.01.2600.2180

>> MSVCP60.dll Microsoft ® C++ Runtime Library Microsoft Corporation

>> 6.02.3104.0000

>> MSVCR70.dll Microsoft® C Runtime Library Microsoft Corporation

>> 7.00.9466.0000

>> msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.3085

>> mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft

>> Corporation 5.01.2600.3394

>> msxml3.dll MSXML 3.0 SP9 Microsoft Corporation 8.90.1101.0000

>> msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001

>> NavLogon.dll Symantec AntiVirus Logon Notification Symantec Corporation

>> 10.01.0000.0401

>> NDdeApi.dll Network DDE Share Management APIs Microsoft Corporation

>> 5.01.2600.2180

>> NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976

>> ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180

>> NTDSAPI.DLL NT5DS Microsoft Corporation 5.01.2600.2180

>> NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180

>> ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft

>> Corporation 3.525.1117.0000

>> odbcint.dll Microsoft Data Access - ODBC Resources Microsoft Corporation

>> 3.525.1117.0000

>> ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726

>> OLEAUT32.dll Microsoft Corporation 5.01.2600.3266

>> PCANotify.dll Winlogon Notification package Symantec Corporation

>> 11.00.0001.0764

>> PROFMAP.dll Userenv Microsoft Corporation 5.01.2600.2180

>> PSAPI.DLL Process Status Helper Microsoft Corporation 5.01.2600.2180

>> REGAPI.dll Registry Configuration APIs Microsoft Corporation

>> 5.01.2600.2180

>> RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation

>> 5.01.2600.3173

>> rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation

>> 5.01.2600.2161

>> rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180

>> SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180

>> SASWINLO.dll SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com

>> 1.00.0000.1046

>> Secur32.dll Security Support Provider Interface Microsoft Corporation

>> 5.01.2600.2180

>> SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180

>> sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180

>> sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180

>> SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241

>> SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation

>> 6.00.2900.3354

>> SHSVCS.dll Windows Shell Services Dll Microsoft Corporation 6.00.2900.3051

>> sortkey.nls sorttbls.nls sxs.dll Fusion 2.5 Microsoft Corporation

>> 5.01.2600.3019

>> unicode.nls USER32.dll Windows XP USER API Client DLL Microsoft

>> Corporation 5.01.2600.3099

>> USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180

>> USP10.dll Uniscribe Unicode script processor Microsoft Corporation

>> 1.420.2600.2180

>> uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180

>> VERSION.dll Version Checking and File Installation Libraries Microsoft

>> Corporation 5.01.2600.2180

>> wbemcomn.dll WMI Microsoft Corporation 5.01.2600.2180

>> wbemprox.dll WMI Microsoft Corporation 5.01.2600.2180

>> wbemsvc.dll WMI Microsoft Corporation 5.01.2600.2180

>> wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180

>> WgaLogon.dll Windows Genuine Advantage Notification Microsoft Corporation

>> 1.07.0018.0007

>> WININET.dll Internet Extensions for Win32 Microsoft Corporation

>> 6.00.2900.3354

>> winlogon.exe Windows NT Logon Application Microsoft Corporation

>> 5.01.2600.2180

>> WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180

>> WINSCARD.DLL Microsoft Smart Card API Microsoft Corporation 5.01.2600.2180

>> WINSPOOL.DRV Windows Spooler Driver Microsoft Corporation 5.01.2600.2180

>> WINSTA.dll Winstation Library Microsoft Corporation 5.01.2600.2180

>> WINTRUST.dll Microsoft Trust Verification APIs Microsoft Corporation

>> 5.131.2600.2180

>> WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180

>> WlNotify.dll Common DLL to receive Winlogon notifications Microsoft

>> Corporation 5.01.2600.2180

>> WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation

>> 5.01.2600.2180

>> WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation

>> 5.01.2600.2180

>> wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation

>> 5.01.2600.2180

>> wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180

>> WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation

>> 5.01.2600.2180

>> xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180

>>

>> --

>>

>> Process PID Description CPU Company Name

>> System Idle Process 0 41.18 Interrupts n/a Hardware Interrupts DPCs n/a

>> Deferred Procedure Calls System 4 smss.exe 1160 Windows NT Session Manager

>> Microsoft Corporation

>> csrss.exe 1208 Client Server Runtime Process Microsoft Corporation

>> winlogon.exe 1236 Windows NT Logon Application 50.00 Microsoft

>> Corporation

>> services.exe 1280 Services and Controller app 0.74 Microsoft

>> Corporation

>> svchost.exe 1480 Generic Host Process for Win32 Services 0.74

>> Microsoft Corporation

>> svchost.exe 1536 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> svchost.exe 456 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> Smc.exe 724 Symantec CMC Smc 0.74 Symantec Corporation

>> SmcGui.exe 2168 Symantec CMC SmcGui 2.94 Symantec Corporation

>> svchost.exe 780 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> svchost.exe 892 Generic Host Process for Win32 Services Microsoft

>> Corporation

>> SNAC.EXE 904 Symantec Network Access Control Symantec Corporation

>> ccSvcHst.exe 1968 Symantec Service Framework 0.74 Symantec

>> Corporation

>> spoolsv.exe 1916 Spooler SubSystem App Microsoft Corporation

>> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

>> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

>> Symantec Corporation

>> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

>> NMSAccess.exe 968 p4ps.exe 1084 P4Webs.exe 1648 spkrmon.exe 1676

>> SoundMAX SpeakerMonitor service Rtvscan.exe 1664 Symantec AntiVirus

>> Symantec Corporation

>> vmware-authd.exe 2192 VMware Authorization Service VMware, Inc.

>> vmount2.exe 2704 virtual disk mount service VMware, Inc.

>> vmnat.exe 2904 VMware NAT Service VMware, Inc.

>> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.

>> alg.exe 2996 Application Layer Gateway Service Microsoft Corporation

>> lsass.exe 1292 LSA Shell (Export Version) Microsoft Corporation

>> explorer.exe 3228 Windows Explorer Microsoft Corporation

>> TaskSwitch.exe 3660 ccApp.exe 3100 Symantec User Session Symantec

>> Corporation

>> trillian.exe 1700 Trillian Cerulean Studios

>> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft Corporation

>> seamonkey.exe 1012 SeaMonkey mozilla.org

>> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

>> procexp.exe 3392 Sysinternals Process Explorer 2.94 Sysinternals -

>> http://www.sysinternals.com

>>

>> Process: winlogon.exe Pid: 1236

>>

>> Type Name

>> Desktop \Winlogon

>> Desktop \Disconnect

>> Desktop \Default

>> Directory \KnownDlls

>> Directory \Windows

>> Directory \BaseNamedObjects

>> Event \BaseNamedObjects\AUTOENRL:TriggerMachineEnrollment

>> Event \BaseNamedObjects\crypt32LogoffEvent

>> Event \BaseNamedObjects\userenv: User Profile setup event

>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh Needs

>> Foreground Processing

>> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done

>> Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event

>> Event \BaseNamedObjects\userenv: User Group Policy has been applied

>> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

>> Foreground Processing

>> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

>> Event \BaseNamedObjects\userenv: User Policy Foreground Done Event

>> Event \BaseNamedObjects\WinlogonTSSynchronizeEvent

>> Event \BaseNamedObjects\TS-WPAAE

>> Event \BaseNamedObjects\ReconEvent

>> Event \Security\NetworkProviderLoad

>> Event \BaseNamedObjects\AtiExtEventGSNotificationEvent

>> Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM

>> Event \BaseNamedObjects\hardwaremixercallback

>> Event \BaseNamedObjects\WFP_IDLE_TRIGGER

>> Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started

>> Event \BaseNamedObjects\msgina: ReturnToWelcome

>> Event \BaseNamedObjects\ThemesStartEvent

>> Event \BaseNamedObjects\DINPUTWINMM

>> Event \BaseNamedObjects\winlogon: machine GPO Event 70406

>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>> Event \BaseNamedObjects\userenv: machine policy refresh event

>> Event \BaseNamedObjects\userenv: machine policy force refresh event

>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh Needs

>> Foreground Processing

>> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done

>> Event \BaseNamedObjects\AgentExistsEvent

>> Event \BaseNamedObjects\WkssvcToAgentStopEvent

>> Event \BaseNamedObjects\WkssvcToAgentStartEvent

>> Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0

>> Event \BaseNamedObjects\AgentToWkssvcEvent

>> Event \BaseNamedObjects\PCA_UnlockWksNotify

>> Event \BaseNamedObjects\PCA_LockWksNotify

>> Event \BaseNamedObjects\PCA_TAG_TEAM_0

>> Event \BaseNamedObjects\SENS Started Event

>> Event \BaseNamedObjects\userenv: user policy force refresh event

>> Event \BaseNamedObjects\userenv: User Group Policy has been applied

>> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

>> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

>> Foreground Processing

>> Event \BaseNamedObjects\userenv: user policy refresh event

>> Event \BaseNamedObjects\winlogon: User GPO Event 483671

>> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

>> Event \BaseNamedObjects\AUTOENRL:TriggerUserEnrollment

>> Event \BaseNamedObjects\CscCacheInitCompleteEvent

>> Event \BaseNamedObjects\ShellReadyEvent

>> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

>> Event \BaseNamedObjects\mixercallback

>> Event

>> \BaseNamedObjects\00000000000a359c_WlballoonKerberosNotificationEventName

>> File \Device\NamedPipe\TerminalServer\AutoReconnect

>> File

>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>> File \Device\KsecDD

>> File \Device\NamedPipe\InitShutdown

>> File C:\WINDOWS\system32\dllcache

>> File

>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>> File C:\WINDOWS\AppPatch

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\isapi\_vti_adm

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\_vti_bin\_vti_adm

>> File C:\WINDOWS\system32

>> File C:\WINDOWS\Help

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\isapi\_vti_aut

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\_vti_bin\_vti_aut

>> File C:\WINDOWS\system32\inetsrv

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\bin

>> File C:\WINDOWS\Fonts

>> File C:\WINDOWS\system32\drivers

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\servsupp

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\bots\vinavbar

>> File C:\Program Files\microsoft frontpage\version3.0\bin

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\_vti_bin

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\bin\1033

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\isapi

>> File C:\WINDOWS

>> File C:\Program Files\Common Files\Microsoft Shared\DAO

>> File C:\Program Files\Windows Media Player

>> File C:\Program Files\Common Files\System\msadc

>> File C:\Program Files\Common Files\System\ado

>> File C:\Program Files\Common Files\System\Ole DB

>> File C:\WINDOWS\inf

>> File C:\WINDOWS\system

>> File C:\WINDOWS\msagent

>> File C:\WINDOWS\msagent\intl

>> File C:\Program Files\MSN Gaming Zone\Windows

>> File C:\WINDOWS\PCHealth\HelpCtr\Binaries

>> File C:\Program Files\NetMeeting

>> File C:\WINDOWS\system32\drivers\disdn

>> File C:\WINDOWS\ime\CHTIME\Applets

>> File C:\WINDOWS\system32\wbem

>> File C:\WINDOWS\system32\IME\CINTLGNT

>> File C:\WINDOWS\system32\Com

>> File C:\WINDOWS\system32\Setup

>> File C:\WINDOWS\ime\IMJP8_1

>> File C:\Program Files\Common Files\Microsoft Shared\Triedit

>> File C:\Program Files\Windows NT

>> File C:\Program Files\Common Files\System

>> File C:\WINDOWS\system32\1033

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\admcgi\scripts

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\admisapi\scripts

>> File C:\WINDOWS\system32\usmt

>> File C:\WINDOWS\ime\IMKR6_1\Dicts

>> File C:\WINDOWS\system32\mui\0009

>> File C:\Program Files\Internet Explorer

>> File C:\WINDOWS\ime\IMJP8_1\APPLETS

>> File C:\WINDOWS\ime\IMKR6_1\Applets

>> File C:\WINDOWS\system32\xircom

>> File C:\Program Files\Internet Explorer\Connection Wizard

>> File C:\Program Files\Common Files\Microsoft Shared\MSInfo

>> File C:\WINDOWS\ime\IMKR6_1

>> File C:\WINDOWS\ime\SHARED

>> File C:\WINDOWS\system32\IME\PINTLGNT

>> File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033

>> File C:\WINDOWS\Resources\Themes\Luna

>> File C:\Program Files\Movie Maker

>> File C:\WINDOWS\ime

>> File C:\WINDOWS\srchasst

>> File C:\Program Files\Outlook Express

>> File C:\WINDOWS\system32\oobe

>> File C:\Program Files\Common Files\MSSoap\Binaries

>> File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033

>> File C:\WINDOWS\mui

>> File C:\WINDOWS\system32\npp

>> File C:\WINDOWS\ime\SHARED\RES

>> File C:\Program Files\Windows NT\Pinball

>> File C:\WINDOWS\ime\CHSIME\APPLETS

>> File C:\WINDOWS\system32\Restore

>> File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033

>> File C:\Program Files\Common Files\Microsoft Shared\Speech

>> File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

>> File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

>> File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

>> File C:\WINDOWS\system32\wbem\snmp

>> File C:\Program Files\Common Files\SpeechEngines\Microsoft

>> File C:\Program Files\Common Files\Microsoft Shared\Speech\1033

>> File C:\WINDOWS\PeerNet

>> File C:\WINDOWS\system32\spool\drivers\color

>> File C:\WINDOWS\system32\IME\TINTLGNT

>> File C:\WINDOWS\Help\Tours\mmTour

>> File C:\WINDOWS\PCHealth\UploadLB\Binaries

>> File C:\Program Files\Common Files\Microsoft Shared\VGX

>> File C:\WINDOWS\system32\wbem\xml

>> File C:\Program Files\Windows NT\Accessories

>> File C:\WINDOWS\system32\mui\0401

>> File C:\WINDOWS\system32\mui\0404

>> File C:\WINDOWS\system32\mui\0405

>> File C:\WINDOWS\system32\mui\0406

>> File C:\WINDOWS\system32\mui\0407

>> File C:\WINDOWS\system32\mui\0408

>> File C:\WINDOWS\system32\mui\040b

>> File C:\WINDOWS\system32\mui\040C

>> File C:\WINDOWS\system32\mui\040D

>> File C:\WINDOWS\system32\mui\040e

>> File C:\WINDOWS\system32\mui\0410

>> File C:\WINDOWS\system32\mui\0411

>> File C:\WINDOWS\system32\mui\0412

>> File C:\WINDOWS\system32\mui\0413

>> File C:\WINDOWS\system32\mui\0414

>> File C:\WINDOWS\system32\mui\0415

>> File C:\WINDOWS\system32\mui\0416

>> File C:\WINDOWS\system32\mui\0419

>> File C:\WINDOWS\system32\mui\041b

>> File C:\WINDOWS\system32\mui\041D

>> File C:\WINDOWS\system32\mui\041f

>> File C:\WINDOWS\system32\mui\0424

>> File C:\WINDOWS\system32\mui\0804

>> File C:\WINDOWS\system32\mui\0816

>> File C:\WINDOWS\system32\mui\0C0A

>> File C:\WINDOWS\system32\mui\0402

>> File C:\WINDOWS\system32\mui\0418

>> File C:\WINDOWS\system32\mui\041a

>> File C:\WINDOWS\system32\mui\041e

>> File C:\WINDOWS\system32\mui\0425

>> File C:\WINDOWS\system32\mui\0426

>> File C:\WINDOWS\system32\mui\0427

>> File C:\Program Files\xerox\nwwia

>> File C:\WINDOWS\WinSxS

>> File \Device\NamedPipe\SfcApi

>> File \Device\Tcp

>> File \Device\Ip

>> File \Device\Afd\Endpoint

>> File \Device\Udp

>> File \Device\Afd\AsyncConnectHlp

>> File

>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>> File \Device\LanmanRedirector

>> File \Device\NamedPipe\winlogonrpc

>> File

>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>> File \Device\NamedPipe\winlogonrpc

>> File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}

>> File C:\WINDOWS\system32

>> Key HKCR

>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale

>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts

>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups

>> Key HKCR

>> Key

>> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9

>> Key

>> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Notify\crypt32chain

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Notify\cryptnet

>> Key HKCR\CLSID

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Notify\sclgntfy

>> Key HKLM\SYSTEM\ControlSet001\Control\Lsa

>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

>> Key HKLM\SYSTEM\Setup

>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

>> Key HKU

>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

>> Key HKU

>> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage

>> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

>> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces

>> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters

>> Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet

>> Settings

>> Key HKLM

>> Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Notify\WgaLogon

>> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache

>> Key HKCU

>> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam

>> Key HKU\.DEFAULT

>> Key HKCR

>> Key HKLM\SOFTWARE\Microsoft\COM3

>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

>> Key HKLM\SOFTWARE\Microsoft\COM3

>> Key HKU

>> Key HKLM\SOFTWARE\Microsoft\COM3

>> Key HKCR

>> Key HKLM\SOFTWARE\Microsoft\COM3

>> Key HKCR

>> Key HKCR\CLSID

>> Key HKCR

>> KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent

>> Mutant \BaseNamedObjects\userenv: machine policy mutex

>> Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex

>> Mutant \BaseNamedObjects\userenv: user policy mutex

>> Mutant \BaseNamedObjects\userenv: User Registry policy mutex

>> Mutant \BaseNamedObjects\SingleSesMutex

>> Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex

>> Mutant \BaseNamedObjects\ShimCacheMutex

>> Mutant \BaseNamedObjects\WPA_PR_MUTEX

>> Mutant \BaseNamedObjects\WPA_RT_MUTEX

>> Mutant \BaseNamedObjects\WPA_LT_MUTEX

>> Mutant \BaseNamedObjects\WPA_HWID_MUTEX

>> Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX

>> Port \RPC Control\sclogonrpc

>> Port \RPC Control\IUserProfile

>> Port \RPC Control\OLE273DB90569D049E7BB5A549E0AAA

>> Process services.exe(1280)

>> Process lsass.exe(1292)

>> Section \BaseNamedObjects\ShimSharedMemory

>> Section \BaseNamedObjects\Debug.Memory.4d4

>> Section \BaseNamedObjects\WDMAUD_Callbacks

>> Section \BaseNamedObjects\mmGlobalPnpInfo

>> Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

>> Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}

>> Thread winlogon.exe(1236): 1240

>> Thread winlogon.exe(1236): 1644

>> Thread winlogon.exe(1236): 3668

>> Thread winlogon.exe(1236): 1240

>> Thread winlogon.exe(1236): 1260

>> Thread winlogon.exe(1236): 2404

>> Thread winlogon.exe(1236): 1268

>> Thread winlogon.exe(1236): 1276

>> Thread winlogon.exe(1236): 1288

>> Thread winlogon.exe(1236): 1380

>> Thread winlogon.exe(1236): 1384

>> Thread winlogon.exe(1236): 1388

>> Thread winlogon.exe(1236): 1420

>> Thread winlogon.exe(1236): 1524

>> Thread winlogon.exe(1236): 2448

>> Thread winlogon.exe(1236): 2212

>> Thread winlogon.exe(1236): 1272

>> Thread winlogon.exe(1236): 2208

>> Thread winlogon.exe(1236): 2004

>> Thread winlogon.exe(1236): 1644

>> Thread winlogon.exe(1236): 2212

>> Thread winlogon.exe(1236): 3516

>> Thread winlogon.exe(1236): 2220

>> Thread winlogon.exe(1236): 1644

>> Thread winlogon.exe(1236): 2220

>> Thread winlogon.exe(1236): 2140

>> Thread winlogon.exe(1236): 2676

>> Thread winlogon.exe(1236): 1644

>> Thread winlogon.exe(1236): 2404

>> Thread winlogon.exe(1236): 2216

>> Thread winlogon.exe(1236): 2404

>> Thread winlogon.exe(1236): 3216

>> Thread winlogon.exe(1236): 328

>> Thread winlogon.exe(1236): 2404

>> Thread winlogon.exe(1236): 3492

>> Timer \BaseNamedObjects\userenv: refresh timer for 1236:1644

>> Timer \BaseNamedObjects\AUTOENRL:MachineEnrollmentTimer

>> Timer \BaseNamedObjects\userenv: refresh timer for 1236:2404

>> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentShellTimer

>> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentTimer

>> Token domain\phil:a359c

>> Token NT AUTHORITY\NETWORK SERVICE:3e4

>> Token NT AUTHORITY\SYSTEM:3e7

>> Token domain\phil:a359c

>> Token NT AUTHORITY\SYSTEM:3e7

>> WindowStation \Windows\WindowStations\WinSta0

>> WindowStation \Windows\WindowStations\WinSta0n

>>

>> Is there a fix for this or a way to calm winlogon.exe down? It doesn't

>> seem to matter how long my session uptime is either since this was only

>> three days old.

>>

>> Thank you in advance. :)

--

Phillip Pi (aka Ant)

Senior Software Quality Assurance Analyst

ISP/Symantec Online Services, Consumer Business Unit

Symantec Corporation

http://www.symantec.com

-----------------------------------------------------

Email: phillip_pi@symantec.comSYMC (remove SYMC to reply by e-mail)

-----------------------------------------------------

Please do NOT e-mail me for technical support. DISCLAIMER: The views

expressed in this posting are mine, and do not necessarily reflect the

views of my employer. Thank you.

July 13, 2008

Re: Once in a while, winlogon.exe will hog CPU and makes my Windowsunresponsive.

Re: Once in a while, winlogon.exe will hog CPU and makes my Windowsunresponsive.

I did more research today since I had another one earlier today. :(

According to Process Explorer v11.20's winlogon.exe's threads

properties, WINMM.dll!PlaySoundW+0x77f was the one hogging the CPU (not

sure if this was the same as before since I never went this deep).

Here's Process Explorer exported log: http://pastebin.ca/1071193 (no

wordwrapping since this is wide and expires in 30 days). That sounds

like audio so I check my headphones and heard NO sounds. I tried

disabling and enabling SoundMAX Integrated Digital Audio in device

manager, but that didn't help. I believe I have the latest drivers (2004).

On 7/11/2008 1:23 PM PT, Phillip Pi wrote:

> Hello.

>

> I have a strange rare and annoying Windows XP Pro. SP2 (IE6.0 SP2; all

> critical updates and optional softwares for SP2) issue that had been

> around for three years or so, and I can't figure out what's going on.

>

> Once in a while (very rare -- maybe once every one/two months?), I

> winlogon.exe decides to go nuts and take one of my CPU (have a dual core

> Intel P4 Prescott machine). From there, softwares don't respond and some

> can't be shut down (e.g., SeaMonkey.exe, Trillian.exe, Outlook.exe) even

> if I force end task. When I try to shut down Windows to reboot, it gets

> stuck forever and I need to do a force shut down on the power switch on

> the Dell Optiplex GX280 case.

>

> I tried viewing Process Explorer, Process Monitor, event logs, services

> via cmd.exe (administrative method freezes/doesn't respond), etc. and

> found nothing interesting. Here are the Process Explorer exports:

>

> From Process Explorer v11.20:

>

> Process PID Description CPU Company Name

> System Idle Process 0 39.13

> Interrupts n/a Hardware Interrupts

> DPCs n/a Deferred Procedure Calls

> System 4

> smss.exe 1160 Windows NT Session Manager Microsoft

> Corporation

> csrss.exe 1208 Client Server Runtime Process Microsoft

> Corporation

> winlogon.exe 1236 Windows NT Logon Application 50.00

> Microsoft Corporation

> services.exe 1280 Services and Controller app 0.72

> Microsoft Corporation

> svchost.exe 1480 Generic Host Process for Win32 Services

> Microsoft Corporation

> svchost.exe 1536 Generic Host Process for Win32 Services

> Microsoft Corporation

> svchost.exe 456 Generic Host Process for Win32

> Services Microsoft Corporation

> Smc.exe 724 Symantec CMC Smc 0.72 Symantec Corporation

> SmcGui.exe 2168 Symantec CMC SmcGui 4.35 Symantec

> Corporation

> svchost.exe 780 Generic Host Process for Win32

> Services Microsoft Corporation

> svchost.exe 892 Generic Host Process for Win32

> Services Microsoft Corporation

> SNAC.EXE 904 Symantec Network Access Control 0.72

> Symantec Corporation

> ccSvcHst.exe 1968 Symantec Service Framework Symantec

> Corporation

> spoolsv.exe 1916 Spooler SubSystem App Microsoft

> Corporation

> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler

> Service Symantec Corporation

> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

> NMSAccess.exe 968

> p4ps.exe 1084

> P4Webs.exe 1648

> spkrmon.exe 1676 SoundMAX SpeakerMonitor service

> Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation

> vmware-authd.exe 2192 VMware Authorization Service

> VMware, Inc.

> vmount2.exe 2704 virtual disk mount service VMware, Inc.

> vmnat.exe 2904 VMware NAT Service VMware, Inc.

> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.

> alg.exe 2996 Application Layer Gateway Service

> Microsoft Corporation

> lsass.exe 1292 LSA Shell (Export Version) Microsoft

> Corporation

> explorer.exe 3228 Windows Explorer Microsoft Corporation

> TaskSwitch.exe 3660

> ccApp.exe 3100 Symantec User Session Symantec Corporation

> trillian.exe 1700 Trillian Cerulean Studios

> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft

> Corporation

> seamonkey.exe 1012 SeaMonkey mozilla.org

> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

> procexp.exe 3392 Sysinternals Process Explorer 4.35

> Sysinternals - http://www.sysinternals.com

>

> Process: winlogon.exe Pid: 1236

>

> Name Description Company Name Version

> ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation

> 5.01.2600.2180

> adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation

> 5.01.2600.2180

> ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation

> 5.01.2600.2180

> Apphelp.dll Application Compatibility Client Library Microsoft

> Corporation 5.01.2600.2180

> Ati2evxx.dll ATI External Event Utility DLL Module ATI

> Technologies Inc. 6.14.0010.4123

> ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation

> 3.05.2284.0000

> AUTHZ.dll Authorization Framework Microsoft Corporation

> 5.01.2600.2622

> Cabinet.dll Microsoft® Cabinet File API Microsoft Corporation

> 5.01.2600.2180

> CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308

> COMCTL32.dll Common Controls Library Microsoft Corporation

> 5.82.2900.2982

> comctl32.dll User Experience Controls Library Microsoft

> Corporation 6.00.2900.2982

> comdlg32.dll Common Dialogs DLL Microsoft Corporation

> 6.00.2900.2180

> COMRes.dll Microsoft Corporation 2001.12.4414.0258

> CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180

> cryptdll.dll Cryptography Manager Microsoft Corporation

> 5.01.2600.2180

> cscdll.dll Offline Network Agent Microsoft Corporation

> 5.01.2600.2180

> cscui.dll Client Side Caching UI Microsoft Corporation

> 5.01.2600.2180

> ctype.nls

> DNSAPI.dll DNS Client API DLL Microsoft Corporation 5.01.2600.3394

> fastprox.dll WMI Microsoft Corporation 5.01.2600.2180

> GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316

> hnetcfg.dll Home Networking Configuration Manager Microsoft

> Corporation 5.01.2600.2180

> icmp.dll ICMP DLL Microsoft Corporation 5.01.2600.2180

> IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation

> 5.01.2600.2180

> IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation

> 5.01.2600.2180

> iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912

> kerberos.dll Kerberos Security Package Microsoft Corporation

> 5.01.2600.2698

> kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation

> 5.01.2600.3119

> locale.nls

> LPK.DLL Language Pack Microsoft Corporation 5.01.2600.2180

> midimap.dll Microsoft MIDI Mapper Microsoft Corporation

> 5.01.2600.2180

> MPR.dll Multiple Provider Router DLL Microsoft Corporation

> 5.01.2600.2180

> MPRAPI.dll Windows NT MP Router Administration DLL Microsoft

> Corporation 5.01.2600.2180

> MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation

> 5.01.2600.2180

> msacm32.drv Microsoft Sound Mapper Microsoft Corporation

> 5.01.2600.0000

> MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180

> msctfime.ime Microsoft Text Frame Work Service IME Microsoft

> Corporation 5.01.2600.2180

> MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation

> 5.01.2600.2180

> msv1_0.dll Microsoft Authentication Package v1.0 Microsoft

> Corporation 5.01.2600.2180

> MSVCP60.dll Microsoft ® C++ Runtime Library Microsoft

> Corporation 6.02.3104.0000

> MSVCR70.dll Microsoft® C Runtime Library Microsoft Corporation

> 7.00.9466.0000

> msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.3085

> mswsock.dll Microsoft Windows Sockets 2.0 Service Provider

> Microsoft Corporation 5.01.2600.3394

> msxml3.dll MSXML 3.0 SP9 Microsoft Corporation 8.90.1101.0000

> msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001

> NavLogon.dll Symantec AntiVirus Logon Notification Symantec

> Corporation 10.01.0000.0401

> NDdeApi.dll Network DDE Share Management APIs Microsoft

> Corporation 5.01.2600.2180

> NETAPI32.dll Net Win32 API DLL Microsoft Corporation

> 5.01.2600.2976

> ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180

> NTDSAPI.DLL NT5DS Microsoft Corporation 5.01.2600.2180

> NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation

> 5.01.2600.2180

> ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft

> Corporation 3.525.1117.0000

> odbcint.dll Microsoft Data Access - ODBC Resources Microsoft

> Corporation 3.525.1117.0000

> ole32.dll Microsoft OLE for Windows Microsoft Corporation

> 5.01.2600.2726

> OLEAUT32.dll Microsoft Corporation 5.01.2600.3266

> PCANotify.dll Winlogon Notification package Symantec Corporation

> 11.00.0001.0764

> PROFMAP.dll Userenv Microsoft Corporation 5.01.2600.2180

> PSAPI.DLL Process Status Helper Microsoft Corporation

> 5.01.2600.2180

> REGAPI.dll Registry Configuration APIs Microsoft Corporation

> 5.01.2600.2180

> RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation

> 5.01.2600.3173

> rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft

> Corporation 5.01.2600.2161

> rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180

> SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180

> SASWINLO.dll SUPERAntiSpyware WinLogon Processor

> SUPERAntiSpyware.com 1.00.0000.1046

> Secur32.dll Security Support Provider Interface Microsoft

> Corporation 5.01.2600.2180

> SETUPAPI.dll Windows Setup API Microsoft Corporation

> 5.01.2600.2180

> sfc.dll Windows File Protection Microsoft Corporation

> 5.01.2600.2180

> sfc_os.dll Windows File Protection Microsoft Corporation

> 5.01.2600.2180

> SHELL32.dll Windows Shell Common Dll Microsoft Corporation

> 6.00.2900.3241

> SHLWAPI.dll Shell Light-weight Utility Library Microsoft

> Corporation 6.00.2900.3354

> SHSVCS.dll Windows Shell Services Dll Microsoft Corporation

> 6.00.2900.3051

> sortkey.nls

> sorttbls.nls

> sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.3019

> unicode.nls

> USER32.dll Windows XP USER API Client DLL Microsoft Corporation

> 5.01.2600.3099

> USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180

> USP10.dll Uniscribe Unicode script processor Microsoft Corporation

> 1.420.2600.2180

> uxtheme.dll Microsoft UxTheme Library Microsoft Corporation

> 6.00.2900.2180

> VERSION.dll Version Checking and File Installation Libraries

> Microsoft Corporation 5.01.2600.2180

> wbemcomn.dll WMI Microsoft Corporation 5.01.2600.2180

> wbemprox.dll WMI Microsoft Corporation 5.01.2600.2180

> wbemsvc.dll WMI Microsoft Corporation 5.01.2600.2180

> wdmaud.drv WDM Audio driver mapper Microsoft Corporation

> 5.01.2600.2180

> WgaLogon.dll Windows Genuine Advantage Notification Microsoft

> Corporation 1.07.0018.0007

> WININET.dll Internet Extensions for Win32 Microsoft Corporation

> 6.00.2900.3354

> winlogon.exe Windows NT Logon Application Microsoft Corporation

> 5.01.2600.2180

> WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180

> WINSCARD.DLL Microsoft Smart Card API Microsoft Corporation

> 5.01.2600.2180

> WINSPOOL.DRV Windows Spooler Driver Microsoft Corporation

> 5.01.2600.2180

> WINSTA.dll Winstation Library Microsoft Corporation 5.01.2600.2180

> WINTRUST.dll Microsoft Trust Verification APIs Microsoft

> Corporation 5.131.2600.2180

> WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation

> 5.01.2600.2180

> WlNotify.dll Common DLL to receive Winlogon notifications

> Microsoft Corporation 5.01.2600.2180

> WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation

> 5.01.2600.2180

> WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft

> Corporation 5.01.2600.2180

> wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation

> 5.01.2600.2180

> wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation

> 5.01.2600.2180

> WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft

> Corporation 5.01.2600.2180

> xpsp2res.dll Service Pack 2 Messages Microsoft Corporation

> 5.01.2600.2180

>

> --

>

> Process PID Description CPU Company Name

> System Idle Process 0 41.18

> Interrupts n/a Hardware Interrupts

> DPCs n/a Deferred Procedure Calls

> System 4

> smss.exe 1160 Windows NT Session Manager Microsoft

> Corporation

> csrss.exe 1208 Client Server Runtime Process Microsoft

> Corporation

> winlogon.exe 1236 Windows NT Logon Application 50.00

> Microsoft Corporation

> services.exe 1280 Services and Controller app 0.74

> Microsoft Corporation

> svchost.exe 1480 Generic Host Process for Win32 Services

> 0.74 Microsoft Corporation

> svchost.exe 1536 Generic Host Process for Win32 Services

> Microsoft Corporation

> svchost.exe 456 Generic Host Process for Win32

> Services Microsoft Corporation

> Smc.exe 724 Symantec CMC Smc 0.74 Symantec Corporation

> SmcGui.exe 2168 Symantec CMC SmcGui 2.94 Symantec

> Corporation

> svchost.exe 780 Generic Host Process for Win32

> Services Microsoft Corporation

> svchost.exe 892 Generic Host Process for Win32

> Services Microsoft Corporation

> SNAC.EXE 904 Symantec Network Access Control Symantec

> Corporation

> ccSvcHst.exe 1968 Symantec Service Framework 0.74

> Symantec Corporation

> spoolsv.exe 1916 Spooler SubSystem App Microsoft

> Corporation

> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler

> Service Symantec Corporation

> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

> NMSAccess.exe 968

> p4ps.exe 1084

> P4Webs.exe 1648

> spkrmon.exe 1676 SoundMAX SpeakerMonitor service

> Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation

> vmware-authd.exe 2192 VMware Authorization Service

> VMware, Inc.

> vmount2.exe 2704 virtual disk mount service VMware, Inc.

> vmnat.exe 2904 VMware NAT Service VMware, Inc.

> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware, Inc.

> alg.exe 2996 Application Layer Gateway Service

> Microsoft Corporation

> lsass.exe 1292 LSA Shell (Export Version) Microsoft

> Corporation

> explorer.exe 3228 Windows Explorer Microsoft Corporation

> TaskSwitch.exe 3660

> ccApp.exe 3100 Symantec User Session Symantec Corporation

> trillian.exe 1700 Trillian Cerulean Studios

> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft

> Corporation

> seamonkey.exe 1012 SeaMonkey mozilla.org

> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

> procexp.exe 3392 Sysinternals Process Explorer 2.94

> Sysinternals - http://www.sysinternals.com

>

> Process: winlogon.exe Pid: 1236

>

> Type Name

> Desktop \Winlogon

> Desktop \Disconnect

> Desktop \Default

> Directory \KnownDlls

> Directory \Windows

> Directory \BaseNamedObjects

> Event \BaseNamedObjects\AUTOENRL:TriggerMachineEnrollment

> Event \BaseNamedObjects\crypt32LogoffEvent

> Event \BaseNamedObjects\userenv: User Profile setup event

> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh

> Needs Foreground Processing

> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done

> Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event

> Event \BaseNamedObjects\userenv: User Group Policy has been applied

> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh

> Needs Foreground Processing

> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

> Event \BaseNamedObjects\userenv: User Policy Foreground Done Event

> Event \BaseNamedObjects\WinlogonTSSynchronizeEvent

> Event \BaseNamedObjects\TS-WPAAE

> Event \BaseNamedObjects\ReconEvent

> Event \Security\NetworkProviderLoad

> Event \BaseNamedObjects\AtiExtEventGSNotificationEvent

> Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM

> Event \BaseNamedObjects\hardwaremixercallback

> Event \BaseNamedObjects\WFP_IDLE_TRIGGER

> Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started

> Event \BaseNamedObjects\msgina: ReturnToWelcome

> Event \BaseNamedObjects\ThemesStartEvent

> Event \BaseNamedObjects\DINPUTWINMM

> Event \BaseNamedObjects\winlogon: machine GPO Event 70406

> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

> Event \BaseNamedObjects\userenv: machine policy refresh event

> Event \BaseNamedObjects\userenv: machine policy force refresh event

> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh

> Needs Foreground Processing

> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done

> Event \BaseNamedObjects\AgentExistsEvent

> Event \BaseNamedObjects\WkssvcToAgentStopEvent

> Event \BaseNamedObjects\WkssvcToAgentStartEvent

> Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0

> Event \BaseNamedObjects\AgentToWkssvcEvent

> Event \BaseNamedObjects\PCA_UnlockWksNotify

> Event \BaseNamedObjects\PCA_LockWksNotify

> Event \BaseNamedObjects\PCA_TAG_TEAM_0

> Event \BaseNamedObjects\SENS Started Event

> Event \BaseNamedObjects\userenv: user policy force refresh event

> Event \BaseNamedObjects\userenv: User Group Policy has been applied

> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh

> Needs Foreground Processing

> Event \BaseNamedObjects\userenv: user policy refresh event

> Event \BaseNamedObjects\winlogon: User GPO Event 483671

> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

> Event \BaseNamedObjects\AUTOENRL:TriggerUserEnrollment

> Event \BaseNamedObjects\CscCacheInitCompleteEvent

> Event \BaseNamedObjects\ShellReadyEvent

> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

> Event \BaseNamedObjects\mixercallback

> Event

> \BaseNamedObjects\00000000000a359c_WlballoonKerberosNotificationEventName

> File \Device\NamedPipe\TerminalServer\AutoReconnect

> File

> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>

> File \Device\KsecDD

> File \Device\NamedPipe\InitShutdown

> File C:\WINDOWS\system32\dllcache

> File

> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>

> File C:\WINDOWS\AppPatch

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\isapi\_vti_adm

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\_vti_bin\_vti_adm

> File C:\WINDOWS\system32

> File C:\WINDOWS\Help

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\isapi\_vti_aut

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\_vti_bin\_vti_aut

> File C:\WINDOWS\system32\inetsrv

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\bin

> File C:\WINDOWS\Fonts

> File C:\WINDOWS\system32\drivers

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\servsupp

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\bots\vinavbar

> File C:\Program Files\microsoft frontpage\version3.0\bin

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\_vti_bin

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\bin\1033

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\isapi

> File C:\WINDOWS

> File C:\Program Files\Common Files\Microsoft Shared\DAO

> File C:\Program Files\Windows Media Player

> File C:\Program Files\Common Files\System\msadc

> File C:\Program Files\Common Files\System\ado

> File C:\Program Files\Common Files\System\Ole DB

> File C:\WINDOWS\inf

> File C:\WINDOWS\system

> File C:\WINDOWS\msagent

> File C:\WINDOWS\msagent\intl

> File C:\Program Files\MSN Gaming Zone\Windows

> File C:\WINDOWS\PCHealth\HelpCtr\Binaries

> File C:\Program Files\NetMeeting

> File C:\WINDOWS\system32\drivers\disdn

> File C:\WINDOWS\ime\CHTIME\Applets

> File C:\WINDOWS\system32\wbem

> File C:\WINDOWS\system32\IME\CINTLGNT

> File C:\WINDOWS\system32\Com

> File C:\WINDOWS\system32\Setup

> File C:\WINDOWS\ime\IMJP8_1

> File C:\Program Files\Common Files\Microsoft Shared\Triedit

> File C:\Program Files\Windows NT

> File C:\Program Files\Common Files\System

> File C:\WINDOWS\system32\1033

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\admcgi\scripts

> File C:\Program Files\Common Files\Microsoft Shared\web server

> extensions\40\admisapi\scripts

> File C:\WINDOWS\system32\usmt

> File C:\WINDOWS\ime\IMKR6_1\Dicts

> File C:\WINDOWS\system32\mui\0009

> File C:\Program Files\Internet Explorer

> File C:\WINDOWS\ime\IMJP8_1\APPLETS

> File C:\WINDOWS\ime\IMKR6_1\Applets

> File C:\WINDOWS\system32\xircom

> File C:\Program Files\Internet Explorer\Connection Wizard

> File C:\Program Files\Common Files\Microsoft Shared\MSInfo

> File C:\WINDOWS\ime\IMKR6_1

> File C:\WINDOWS\ime\SHARED

> File C:\WINDOWS\system32\IME\PINTLGNT

> File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033

> File C:\WINDOWS\Resources\Themes\Luna

> File C:\Program Files\Movie Maker

> File C:\WINDOWS\ime

> File C:\WINDOWS\srchasst

> File C:\Program Files\Outlook Express

> File C:\WINDOWS\system32\oobe

> File C:\Program Files\Common Files\MSSoap\Binaries

> File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033

> File C:\WINDOWS\mui

> File C:\WINDOWS\system32\npp

> File C:\WINDOWS\ime\SHARED\RES

> File C:\Program Files\Windows NT\Pinball

> File C:\WINDOWS\ime\CHSIME\APPLETS

> File C:\WINDOWS\system32\Restore

> File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033

> File C:\Program Files\Common Files\Microsoft Shared\Speech

> File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

> File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

> File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

> File C:\WINDOWS\system32\wbem\snmp

> File C:\Program Files\Common Files\SpeechEngines\Microsoft

> File C:\Program Files\Common Files\Microsoft Shared\Speech\1033

> File C:\WINDOWS\PeerNet

> File C:\WINDOWS\system32\spool\drivers\color

> File C:\WINDOWS\system32\IME\TINTLGNT

> File C:\WINDOWS\Help\Tours\mmTour

> File C:\WINDOWS\PCHealth\UploadLB\Binaries

> File C:\Program Files\Common Files\Microsoft Shared\VGX

> File C:\WINDOWS\system32\wbem\xml

> File C:\Program Files\Windows NT\Accessories

> File C:\WINDOWS\system32\mui\0401

> File C:\WINDOWS\system32\mui\0404

> File C:\WINDOWS\system32\mui\0405

> File C:\WINDOWS\system32\mui\0406

> File C:\WINDOWS\system32\mui\0407

> File C:\WINDOWS\system32\mui\0408

> File C:\WINDOWS\system32\mui\040b

> File C:\WINDOWS\system32\mui\040C

> File C:\WINDOWS\system32\mui\040D

> File C:\WINDOWS\system32\mui\040e

> File C:\WINDOWS\system32\mui\0410

> File C:\WINDOWS\system32\mui\0411

> File C:\WINDOWS\system32\mui\0412

> File C:\WINDOWS\system32\mui\0413

> File C:\WINDOWS\system32\mui\0414

> File C:\WINDOWS\system32\mui\0415

> File C:\WINDOWS\system32\mui\0416

> File C:\WINDOWS\system32\mui\0419

> File C:\WINDOWS\system32\mui\041b

> File C:\WINDOWS\system32\mui\041D

> File C:\WINDOWS\system32\mui\041f

> File C:\WINDOWS\system32\mui\0424

> File C:\WINDOWS\system32\mui\0804

> File C:\WINDOWS\system32\mui\0816

> File C:\WINDOWS\system32\mui\0C0A

> File C:\WINDOWS\system32\mui\0402

> File C:\WINDOWS\system32\mui\0418

> File C:\WINDOWS\system32\mui\041a

> File C:\WINDOWS\system32\mui\041e

> File C:\WINDOWS\system32\mui\0425

> File C:\WINDOWS\system32\mui\0426

> File C:\WINDOWS\system32\mui\0427

> File C:\Program Files\xerox\nwwia

> File C:\WINDOWS\WinSxS

> File \Device\NamedPipe\SfcApi

> File \Device\Tcp

> File \Device\Ip

> File \Device\Afd\Endpoint

> File \Device\Udp

> File \Device\Afd\AsyncConnectHlp

> File

> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>

> File \Device\LanmanRedirector

> File \Device\NamedPipe\winlogonrpc

> File

> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>

> File \Device\NamedPipe\winlogonrpc

> File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}

> File C:\WINDOWS\system32

> Key HKCR

> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale

> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts

> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups

> Key HKCR

> Key

> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9

> Key

> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Notify\crypt32chain

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Notify\cryptnet

> Key HKCR\CLSID

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Notify\sclgntfy

> Key HKLM\SYSTEM\ControlSet001\Control\Lsa

> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

> Key HKLM\SYSTEM\Setup

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Credentials

> Key HKU

> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

> Key HKU

> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage

> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces

> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters

> Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet

> Settings

> Key HKLM

> Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

> Key HKLM\SOFTWARE\Microsoft\Windows

> NT\CurrentVersion\Winlogon\Notify\WgaLogon

> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache

> Key HKCU

> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam

> Key HKU\.DEFAULT

> Key HKCR

> Key HKLM\SOFTWARE\Microsoft\COM3

> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

> Key HKLM\SOFTWARE\Microsoft\COM3

> Key HKU

> Key HKLM\SOFTWARE\Microsoft\COM3

> Key HKCR

> Key HKLM\SOFTWARE\Microsoft\COM3

> Key HKCR

> Key HKCR\CLSID

> Key HKCR

> KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent

> Mutant \BaseNamedObjects\userenv: machine policy mutex

> Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex

> Mutant \BaseNamedObjects\userenv: user policy mutex

> Mutant \BaseNamedObjects\userenv: User Registry policy mutex

> Mutant \BaseNamedObjects\SingleSesMutex

> Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex

> Mutant \BaseNamedObjects\ShimCacheMutex

> Mutant \BaseNamedObjects\WPA_PR_MUTEX

> Mutant \BaseNamedObjects\WPA_RT_MUTEX

> Mutant \BaseNamedObjects\WPA_LT_MUTEX

> Mutant \BaseNamedObjects\WPA_HWID_MUTEX

> Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX

> Port \RPC Control\sclogonrpc

> Port \RPC Control\IUserProfile

> Port \RPC Control\OLE273DB90569D049E7BB5A549E0AAA

> Process services.exe(1280)

> Process lsass.exe(1292)

> Section \BaseNamedObjects\ShimSharedMemory

> Section \BaseNamedObjects\Debug.Memory.4d4

> Section \BaseNamedObjects\WDMAUD_Callbacks

> Section \BaseNamedObjects\mmGlobalPnpInfo

> Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

> Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}

> Thread winlogon.exe(1236): 1240

> Thread winlogon.exe(1236): 1644

> Thread winlogon.exe(1236): 3668

> Thread winlogon.exe(1236): 1240

> Thread winlogon.exe(1236): 1260

> Thread winlogon.exe(1236): 2404

> Thread winlogon.exe(1236): 1268

> Thread winlogon.exe(1236): 1276

> Thread winlogon.exe(1236): 1288

> Thread winlogon.exe(1236): 1380

> Thread winlogon.exe(1236): 1384

> Thread winlogon.exe(1236): 1388

> Thread winlogon.exe(1236): 1420

> Thread winlogon.exe(1236): 1524

> Thread winlogon.exe(1236): 2448

> Thread winlogon.exe(1236): 2212

> Thread winlogon.exe(1236): 1272

> Thread winlogon.exe(1236): 2208

> Thread winlogon.exe(1236): 2004

> Thread winlogon.exe(1236): 1644

> Thread winlogon.exe(1236): 2212

> Thread winlogon.exe(1236): 3516

> Thread winlogon.exe(1236): 2220

> Thread winlogon.exe(1236): 1644

> Thread winlogon.exe(1236): 2220

> Thread winlogon.exe(1236): 2140

> Thread winlogon.exe(1236): 2676

> Thread winlogon.exe(1236): 1644

> Thread winlogon.exe(1236): 2404

> Thread winlogon.exe(1236): 2216

> Thread winlogon.exe(1236): 2404

> Thread winlogon.exe(1236): 3216

> Thread winlogon.exe(1236): 328

> Thread winlogon.exe(1236): 2404

> Thread winlogon.exe(1236): 3492

> Timer \BaseNamedObjects\userenv: refresh timer for 1236:1644

> Timer \BaseNamedObjects\AUTOENRL:MachineEnrollmentTimer

> Timer \BaseNamedObjects\userenv: refresh timer for 1236:2404

> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentShellTimer

> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentTimer

> Token domain\phil:a359c

> Token NT AUTHORITY\NETWORK SERVICE:3e4

> Token NT AUTHORITY\SYSTEM:3e7

> Token domain\phil:a359c

> Token NT AUTHORITY\SYSTEM:3e7

> WindowStation \Windows\WindowStations\WinSta0

> WindowStation \Windows\WindowStations\WinSta0n

>

> Is there a fix for this or a way to calm winlogon.exe down? It doesn't

> seem to matter how long my session uptime is either since this was only

> three days old.

>

> Thank you in advance. :)

--

Phillip Pi

Senior Software Quality Assurance Analyst

ISP/Symantec Online Services, Consumer Business Unit

Symantec Corporation

http://www.symantec.com

-----------------------------------------------------

Email: phillip_pi@symantec.comSYMC (remove SYMC to reply by e-mail)

-----------------------------------------------------

Please do NOT e-mail me for technical support. DISCLAIMER: The views

expressed in this posting are mine, and do not necessarily reflect the

views of my employer. Thank you.

July 14, 2008

Re: Once in a while, winlogon.exe will hog CPU and makes my Windows unresponsive.

Current version of winmm.dll for Windows SP2 is: "5.1.2600.2180"

Located in C:\Windows\sytem32

JS

"Phillip Pi" <phillip_pi@symantec.comSYMC> wrote in message

news:%234aDdIU5IHA.2348@TK2MSFTNGP06.phx.gbl...

>I did more research today since I had another one earlier today. :(

>According to Process Explorer v11.20's winlogon.exe's threads properties,

>WINMM.dll!PlaySoundW+0x77f was the one hogging the CPU (not sure if this

>was the same as before since I never went this deep). Here's Process

>Explorer exported log: http://pastebin.ca/1071193 (no wordwrapping since

>this is wide and expires in 30 days). That sounds like audio so I check my

>headphones and heard NO sounds. I tried disabling and enabling SoundMAX

>Integrated Digital Audio in device manager, but that didn't help. I believe

>I have the latest drivers (2004).

>

> On 7/11/2008 1:23 PM PT, Phillip Pi wrote:

>

>> Hello.

>>

>> I have a strange rare and annoying Windows XP Pro. SP2 (IE6.0 SP2; all

>> critical updates and optional softwares for SP2) issue that had been

>> around for three years or so, and I can't figure out what's going on.

>>

>> Once in a while (very rare -- maybe once every one/two months?), I

>> winlogon.exe decides to go nuts and take one of my CPU (have a dual core

>> Intel P4 Prescott machine). From there, softwares don't respond and some

>> can't be shut down (e.g., SeaMonkey.exe, Trillian.exe, Outlook.exe) even

>> if I force end task. When I try to shut down Windows to reboot, it gets

>> stuck forever and I need to do a force shut down on the power switch on

>> the Dell Optiplex GX280 case.

>>

>> I tried viewing Process Explorer, Process Monitor, event logs, services

>> via cmd.exe (administrative method freezes/doesn't respond), etc. and

>> found nothing interesting. Here are the Process Explorer exports:

>>

>> From Process Explorer v11.20:

>>

>> Process PID Description CPU Company Name

>> System Idle Process 0 39.13 Interrupts n/a Hardware

>> Interrupts DPCs n/a Deferred Procedure Calls System

>> 4 smss.exe 1160 Windows NT Session Manager

>> Microsoft Corporation

>> csrss.exe 1208 Client Server Runtime Process Microsoft

>> Corporation

>> winlogon.exe 1236 Windows NT Logon Application 50.00

>> Microsoft Corporation

>> services.exe 1280 Services and Controller app 0.72

>> Microsoft Corporation

>> svchost.exe 1480 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> svchost.exe 1536 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> svchost.exe 456 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> Smc.exe 724 Symantec CMC Smc 0.72 Symantec Corporation

>> SmcGui.exe 2168 Symantec CMC SmcGui 4.35 Symantec

>> Corporation

>> svchost.exe 780 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> svchost.exe 892 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> SNAC.EXE 904 Symantec Network Access Control 0.72

>> Symantec Corporation

>> ccSvcHst.exe 1968 Symantec Service Framework Symantec

>> Corporation

>> spoolsv.exe 1916 Spooler SubSystem App Microsoft

>> Corporation

>> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

>> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

>> Symantec Corporation

>> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

>> NMSAccess.exe 968 p4ps.exe 1084 P4Webs.exe

>> 1648 spkrmon.exe 1676 SoundMAX SpeakerMonitor service

>> Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation

>> vmware-authd.exe 2192 VMware Authorization Service

>> VMware, Inc.

>> vmount2.exe 2704 virtual disk mount service VMware,

>> Inc.

>> vmnat.exe 2904 VMware NAT Service VMware, Inc.

>> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware,

>> Inc.

>> alg.exe 2996 Application Layer Gateway Service

>> Microsoft Corporation

>> lsass.exe 1292 LSA Shell (Export Version) Microsoft

>> Corporation

>> explorer.exe 3228 Windows Explorer Microsoft Corporation

>> TaskSwitch.exe 3660 ccApp.exe 3100 Symantec User

>> Session Symantec Corporation

>> trillian.exe 1700 Trillian Cerulean Studios

>> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft

>> Corporation

>> seamonkey.exe 1012 SeaMonkey mozilla.org

>> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

>> procexp.exe 3392 Sysinternals Process Explorer 4.35

>> Sysinternals - http://www.sysinternals.com

>>

>> Process: winlogon.exe Pid: 1236

>>

>> Name Description Company Name Version

>> ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation

>> 5.01.2600.2180

>> adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation

>> 5.01.2600.2180

>> ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation

>> 5.01.2600.2180

>> Apphelp.dll Application Compatibility Client Library Microsoft

>> Corporation 5.01.2600.2180

>> Ati2evxx.dll ATI External Event Utility DLL Module ATI Technologies

>> Inc. 6.14.0010.4123

>> ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation

>> 3.05.2284.0000

>> AUTHZ.dll Authorization Framework Microsoft Corporation

>> 5.01.2600.2622

>> Cabinet.dll Microsoft® Cabinet File API Microsoft Corporation

>> 5.01.2600.2180

>> CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308

>> COMCTL32.dll Common Controls Library Microsoft Corporation

>> 5.82.2900.2982

>> comctl32.dll User Experience Controls Library Microsoft Corporation

>> 6.00.2900.2982

>> comdlg32.dll Common Dialogs DLL Microsoft Corporation

>> 6.00.2900.2180

>> COMRes.dll Microsoft Corporation 2001.12.4414.0258

>> CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180

>> cryptdll.dll Cryptography Manager Microsoft Corporation

>> 5.01.2600.2180

>> cscdll.dll Offline Network Agent Microsoft Corporation

>> 5.01.2600.2180

>> cscui.dll Client Side Caching UI Microsoft Corporation

>> 5.01.2600.2180

>> ctype.nls DNSAPI.dll DNS Client API DLL Microsoft

>> Corporation 5.01.2600.3394

>> fastprox.dll WMI Microsoft Corporation 5.01.2600.2180

>> GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316

>> hnetcfg.dll Home Networking Configuration Manager Microsoft

>> Corporation 5.01.2600.2180

>> icmp.dll ICMP DLL Microsoft Corporation 5.01.2600.2180

>> IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation

>> 5.01.2600.2180

>> IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation

>> 5.01.2600.2180

>> iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912

>> kerberos.dll Kerberos Security Package Microsoft Corporation

>> 5.01.2600.2698

>> kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation

>> 5.01.2600.3119

>> locale.nls LPK.DLL Language Pack Microsoft Corporation

>> 5.01.2600.2180

>> midimap.dll Microsoft MIDI Mapper Microsoft Corporation

>> 5.01.2600.2180

>> MPR.dll Multiple Provider Router DLL Microsoft Corporation

>> 5.01.2600.2180

>> MPRAPI.dll Windows NT MP Router Administration DLL Microsoft

>> Corporation 5.01.2600.2180

>> MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation

>> 5.01.2600.2180

>> msacm32.drv Microsoft Sound Mapper Microsoft Corporation

>> 5.01.2600.0000

>> MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation

>> 5.01.2600.2180

>> msctfime.ime Microsoft Text Frame Work Service IME Microsoft

>> Corporation 5.01.2600.2180

>> MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation

>> 5.01.2600.2180

>> msv1_0.dll Microsoft Authentication Package v1.0 Microsoft

>> Corporation 5.01.2600.2180

>> MSVCP60.dll Microsoft ® C++ Runtime Library Microsoft Corporation

>> 6.02.3104.0000

>> MSVCR70.dll Microsoft® C Runtime Library Microsoft Corporation

>> 7.00.9466.0000

>> msvcrt.dll Windows NT CRT DLL Microsoft Corporation

>> 7.00.2600.3085

>> mswsock.dll Microsoft Windows Sockets 2.0 Service Provider

>> Microsoft Corporation 5.01.2600.3394

>> msxml3.dll MSXML 3.0 SP9 Microsoft Corporation 8.90.1101.0000

>> msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001

>> NavLogon.dll Symantec AntiVirus Logon Notification Symantec

>> Corporation 10.01.0000.0401

>> NDdeApi.dll Network DDE Share Management APIs Microsoft Corporation

>> 5.01.2600.2180

>> NETAPI32.dll Net Win32 API DLL Microsoft Corporation

>> 5.01.2600.2976

>> ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180

>> NTDSAPI.DLL NT5DS Microsoft Corporation 5.01.2600.2180

>> NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation

>> 5.01.2600.2180

>> ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft

>> Corporation 3.525.1117.0000

>> odbcint.dll Microsoft Data Access - ODBC Resources Microsoft

>> Corporation 3.525.1117.0000

>> ole32.dll Microsoft OLE for Windows Microsoft Corporation

>> 5.01.2600.2726

>> OLEAUT32.dll Microsoft Corporation 5.01.2600.3266

>> PCANotify.dll Winlogon Notification package Symantec Corporation

>> 11.00.0001.0764

>> PROFMAP.dll Userenv Microsoft Corporation 5.01.2600.2180

>> PSAPI.DLL Process Status Helper Microsoft Corporation

>> 5.01.2600.2180

>> REGAPI.dll Registry Configuration APIs Microsoft Corporation

>> 5.01.2600.2180

>> RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation

>> 5.01.2600.3173

>> rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft

>> Corporation 5.01.2600.2161

>> rtutils.dll Routing Utilities Microsoft Corporation

>> 5.01.2600.2180

>> SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180

>> SASWINLO.dll SUPERAntiSpyware WinLogon Processor

>> SUPERAntiSpyware.com 1.00.0000.1046

>> Secur32.dll Security Support Provider Interface Microsoft

>> Corporation 5.01.2600.2180

>> SETUPAPI.dll Windows Setup API Microsoft Corporation

>> 5.01.2600.2180

>> sfc.dll Windows File Protection Microsoft Corporation

>> 5.01.2600.2180

>> sfc_os.dll Windows File Protection Microsoft Corporation

>> 5.01.2600.2180

>> SHELL32.dll Windows Shell Common Dll Microsoft Corporation

>> 6.00.2900.3241

>> SHLWAPI.dll Shell Light-weight Utility Library Microsoft

>> Corporation 6.00.2900.3354

>> SHSVCS.dll Windows Shell Services Dll Microsoft Corporation

>> 6.00.2900.3051

>> sortkey.nls sorttbls.nls sxs.dll Fusion 2.5

>> Microsoft Corporation 5.01.2600.3019

>> unicode.nls USER32.dll Windows XP USER API Client DLL

>> Microsoft Corporation 5.01.2600.3099

>> USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180

>> USP10.dll Uniscribe Unicode script processor Microsoft Corporation

>> 1.420.2600.2180

>> uxtheme.dll Microsoft UxTheme Library Microsoft Corporation

>> 6.00.2900.2180

>> VERSION.dll Version Checking and File Installation Libraries

>> Microsoft Corporation 5.01.2600.2180

>> wbemcomn.dll WMI Microsoft Corporation 5.01.2600.2180

>> wbemprox.dll WMI Microsoft Corporation 5.01.2600.2180

>> wbemsvc.dll WMI Microsoft Corporation 5.01.2600.2180

>> wdmaud.drv WDM Audio driver mapper Microsoft Corporation

>> 5.01.2600.2180

>> WgaLogon.dll Windows Genuine Advantage Notification Microsoft

>> Corporation 1.07.0018.0007

>> WININET.dll Internet Extensions for Win32 Microsoft Corporation

>> 6.00.2900.3354

>> winlogon.exe Windows NT Logon Application Microsoft Corporation

>> 5.01.2600.2180

>> WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180

>> WINSCARD.DLL Microsoft Smart Card API Microsoft Corporation

>> 5.01.2600.2180

>> WINSPOOL.DRV Windows Spooler Driver Microsoft Corporation

>> 5.01.2600.2180

>> WINSTA.dll Winstation Library Microsoft Corporation

>> 5.01.2600.2180

>> WINTRUST.dll Microsoft Trust Verification APIs Microsoft

>> Corporation 5.131.2600.2180

>> WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation

>> 5.01.2600.2180

>> WlNotify.dll Common DLL to receive Winlogon notifications Microsoft

>> Corporation 5.01.2600.2180

>> WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation

>> 5.01.2600.2180

>> WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft

>> Corporation 5.01.2600.2180

>> wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation

>> 5.01.2600.2180

>> wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation

>> 5.01.2600.2180

>> WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation

>> 5.01.2600.2180

>> xpsp2res.dll Service Pack 2 Messages Microsoft Corporation

>> 5.01.2600.2180

>>

>> --

>>

>> Process PID Description CPU Company Name

>> System Idle Process 0 41.18 Interrupts n/a Hardware

>> Interrupts DPCs n/a Deferred Procedure Calls System

>> 4 smss.exe 1160 Windows NT Session Manager

>> Microsoft Corporation

>> csrss.exe 1208 Client Server Runtime Process Microsoft

>> Corporation

>> winlogon.exe 1236 Windows NT Logon Application 50.00

>> Microsoft Corporation

>> services.exe 1280 Services and Controller app 0.74

>> Microsoft Corporation

>> svchost.exe 1480 Generic Host Process for Win32 Services

>> 0.74 Microsoft Corporation

>> svchost.exe 1536 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> svchost.exe 456 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> Smc.exe 724 Symantec CMC Smc 0.74 Symantec Corporation

>> SmcGui.exe 2168 Symantec CMC SmcGui 2.94 Symantec

>> Corporation

>> svchost.exe 780 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> svchost.exe 892 Generic Host Process for Win32 Services

>> Microsoft Corporation

>> SNAC.EXE 904 Symantec Network Access Control Symantec

>> Corporation

>> ccSvcHst.exe 1968 Symantec Service Framework 0.74

>> Symantec Corporation

>> spoolsv.exe 1916 Spooler SubSystem App Microsoft

>> Corporation

>> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

>> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

>> Symantec Corporation

>> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

>> NMSAccess.exe 968 p4ps.exe 1084 P4Webs.exe

>> 1648 spkrmon.exe 1676 SoundMAX SpeakerMonitor service

>> Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation

>> vmware-authd.exe 2192 VMware Authorization Service

>> VMware, Inc.

>> vmount2.exe 2704 virtual disk mount service VMware,

>> Inc.

>> vmnat.exe 2904 VMware NAT Service VMware, Inc.

>> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware,

>> Inc.

>> alg.exe 2996 Application Layer Gateway Service

>> Microsoft Corporation

>> lsass.exe 1292 LSA Shell (Export Version) Microsoft

>> Corporation

>> explorer.exe 3228 Windows Explorer Microsoft Corporation

>> TaskSwitch.exe 3660 ccApp.exe 3100 Symantec User

>> Session Symantec Corporation

>> trillian.exe 1700 Trillian Cerulean Studios

>> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft

>> Corporation

>> seamonkey.exe 1012 SeaMonkey mozilla.org

>> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

>> procexp.exe 3392 Sysinternals Process Explorer 2.94

>> Sysinternals - http://www.sysinternals.com

>>

>> Process: winlogon.exe Pid: 1236

>>

>> Type Name

>> Desktop \Winlogon

>> Desktop \Disconnect

>> Desktop \Default

>> Directory \KnownDlls

>> Directory \Windows

>> Directory \BaseNamedObjects

>> Event \BaseNamedObjects\AUTOENRL:TriggerMachineEnrollment

>> Event \BaseNamedObjects\crypt32LogoffEvent

>> Event \BaseNamedObjects\userenv: User Profile setup event

>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh

>> Needs Foreground Processing

>> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is

>> done

>> Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event

>> Event \BaseNamedObjects\userenv: User Group Policy has been applied

>> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

>> Foreground Processing

>> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

>> Event \BaseNamedObjects\userenv: User Policy Foreground Done Event

>> Event \BaseNamedObjects\WinlogonTSSynchronizeEvent

>> Event \BaseNamedObjects\TS-WPAAE

>> Event \BaseNamedObjects\ReconEvent

>> Event \Security\NetworkProviderLoad

>> Event \BaseNamedObjects\AtiExtEventGSNotificationEvent

>> Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM

>> Event \BaseNamedObjects\hardwaremixercallback

>> Event \BaseNamedObjects\WFP_IDLE_TRIGGER

>> Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started

>> Event \BaseNamedObjects\msgina: ReturnToWelcome

>> Event \BaseNamedObjects\ThemesStartEvent

>> Event \BaseNamedObjects\DINPUTWINMM

>> Event \BaseNamedObjects\winlogon: machine GPO Event 70406

>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>> Event \BaseNamedObjects\userenv: machine policy refresh event

>> Event \BaseNamedObjects\userenv: machine policy force refresh event

>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh

>> Needs Foreground Processing

>> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is

>> done

>> Event \BaseNamedObjects\AgentExistsEvent

>> Event \BaseNamedObjects\WkssvcToAgentStopEvent

>> Event \BaseNamedObjects\WkssvcToAgentStartEvent

>> Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0

>> Event \BaseNamedObjects\AgentToWkssvcEvent

>> Event \BaseNamedObjects\PCA_UnlockWksNotify

>> Event \BaseNamedObjects\PCA_LockWksNotify

>> Event \BaseNamedObjects\PCA_TAG_TEAM_0

>> Event \BaseNamedObjects\SENS Started Event

>> Event \BaseNamedObjects\userenv: user policy force refresh event

>> Event \BaseNamedObjects\userenv: User Group Policy has been applied

>> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

>> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

>> Foreground Processing

>> Event \BaseNamedObjects\userenv: user policy refresh event

>> Event \BaseNamedObjects\winlogon: User GPO Event 483671

>> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

>> Event \BaseNamedObjects\AUTOENRL:TriggerUserEnrollment

>> Event \BaseNamedObjects\CscCacheInitCompleteEvent

>> Event \BaseNamedObjects\ShellReadyEvent

>> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

>> Event \BaseNamedObjects\mixercallback

>> Event

>> \BaseNamedObjects\00000000000a359c_WlballoonKerberosNotificationEventName

>> File \Device\NamedPipe\TerminalServer\AutoReconnect

>> File

>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>> File \Device\KsecDD

>> File \Device\NamedPipe\InitShutdown

>> File C:\WINDOWS\system32\dllcache

>> File

>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>> File C:\WINDOWS\AppPatch

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\isapi\_vti_adm

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\_vti_bin\_vti_adm

>> File C:\WINDOWS\system32

>> File C:\WINDOWS\Help

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\isapi\_vti_aut

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\_vti_bin\_vti_aut

>> File C:\WINDOWS\system32\inetsrv

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\bin

>> File C:\WINDOWS\Fonts

>> File C:\WINDOWS\system32\drivers

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\servsupp

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\bots\vinavbar

>> File C:\Program Files\microsoft frontpage\version3.0\bin

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\_vti_bin

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\bin\1033

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\isapi

>> File C:\WINDOWS

>> File C:\Program Files\Common Files\Microsoft Shared\DAO

>> File C:\Program Files\Windows Media Player

>> File C:\Program Files\Common Files\System\msadc

>> File C:\Program Files\Common Files\System\ado

>> File C:\Program Files\Common Files\System\Ole DB

>> File C:\WINDOWS\inf

>> File C:\WINDOWS\system

>> File C:\WINDOWS\msagent

>> File C:\WINDOWS\msagent\intl

>> File C:\Program Files\MSN Gaming Zone\Windows

>> File C:\WINDOWS\PCHealth\HelpCtr\Binaries

>> File C:\Program Files\NetMeeting

>> File C:\WINDOWS\system32\drivers\disdn

>> File C:\WINDOWS\ime\CHTIME\Applets

>> File C:\WINDOWS\system32\wbem

>> File C:\WINDOWS\system32\IME\CINTLGNT

>> File C:\WINDOWS\system32\Com

>> File C:\WINDOWS\system32\Setup

>> File C:\WINDOWS\ime\IMJP8_1

>> File C:\Program Files\Common Files\Microsoft Shared\Triedit

>> File C:\Program Files\Windows NT

>> File C:\Program Files\Common Files\System

>> File C:\WINDOWS\system32\1033

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\admcgi\scripts

>> File C:\Program Files\Common Files\Microsoft Shared\web server

>> extensions\40\admisapi\scripts

>> File C:\WINDOWS\system32\usmt

>> File C:\WINDOWS\ime\IMKR6_1\Dicts

>> File C:\WINDOWS\system32\mui\0009

>> File C:\Program Files\Internet Explorer

>> File C:\WINDOWS\ime\IMJP8_1\APPLETS

>> File C:\WINDOWS\ime\IMKR6_1\Applets

>> File C:\WINDOWS\system32\xircom

>> File C:\Program Files\Internet Explorer\Connection Wizard

>> File C:\Program Files\Common Files\Microsoft Shared\MSInfo

>> File C:\WINDOWS\ime\IMKR6_1

>> File C:\WINDOWS\ime\SHARED

>> File C:\WINDOWS\system32\IME\PINTLGNT

>> File C:\Program Files\Common

>> Files\SpeechEngines\Microsoft\Lexicon\1033

>> File C:\WINDOWS\Resources\Themes\Luna

>> File C:\Program Files\Movie Maker

>> File C:\WINDOWS\ime

>> File C:\WINDOWS\srchasst

>> File C:\Program Files\Outlook Express

>> File C:\WINDOWS\system32\oobe

>> File C:\Program Files\Common Files\MSSoap\Binaries

>> File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033

>> File C:\WINDOWS\mui

>> File C:\WINDOWS\system32\npp

>> File C:\WINDOWS\ime\SHARED\RES

>> File C:\Program Files\Windows NT\Pinball

>> File C:\WINDOWS\ime\CHSIME\APPLETS

>> File C:\WINDOWS\system32\Restore

>> File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033

>> File C:\Program Files\Common Files\Microsoft Shared\Speech

>> File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

>> File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

>> File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

>> File C:\WINDOWS\system32\wbem\snmp

>> File C:\Program Files\Common Files\SpeechEngines\Microsoft

>> File C:\Program Files\Common Files\Microsoft Shared\Speech\1033

>> File C:\WINDOWS\PeerNet

>> File C:\WINDOWS\system32\spool\drivers\color

>> File C:\WINDOWS\system32\IME\TINTLGNT

>> File C:\WINDOWS\Help\Tours\mmTour

>> File C:\WINDOWS\PCHealth\UploadLB\Binaries

>> File C:\Program Files\Common Files\Microsoft Shared\VGX

>> File C:\WINDOWS\system32\wbem\xml

>> File C:\Program Files\Windows NT\Accessories

>> File C:\WINDOWS\system32\mui\0401

>> File C:\WINDOWS\system32\mui\0404

>> File C:\WINDOWS\system32\mui\0405

>> File C:\WINDOWS\system32\mui\0406

>> File C:\WINDOWS\system32\mui\0407

>> File C:\WINDOWS\system32\mui\0408

>> File C:\WINDOWS\system32\mui\040b

>> File C:\WINDOWS\system32\mui\040C

>> File C:\WINDOWS\system32\mui\040D

>> File C:\WINDOWS\system32\mui\040e

>> File C:\WINDOWS\system32\mui\0410

>> File C:\WINDOWS\system32\mui\0411

>> File C:\WINDOWS\system32\mui\0412

>> File C:\WINDOWS\system32\mui\0413

>> File C:\WINDOWS\system32\mui\0414

>> File C:\WINDOWS\system32\mui\0415

>> File C:\WINDOWS\system32\mui\0416

>> File C:\WINDOWS\system32\mui\0419

>> File C:\WINDOWS\system32\mui\041b

>> File C:\WINDOWS\system32\mui\041D

>> File C:\WINDOWS\system32\mui\041f

>> File C:\WINDOWS\system32\mui\0424

>> File C:\WINDOWS\system32\mui\0804

>> File C:\WINDOWS\system32\mui\0816

>> File C:\WINDOWS\system32\mui\0C0A

>> File C:\WINDOWS\system32\mui\0402

>> File C:\WINDOWS\system32\mui\0418

>> File C:\WINDOWS\system32\mui\041a

>> File C:\WINDOWS\system32\mui\041e

>> File C:\WINDOWS\system32\mui\0425

>> File C:\WINDOWS\system32\mui\0426

>> File C:\WINDOWS\system32\mui\0427

>> File C:\Program Files\xerox\nwwia

>> File C:\WINDOWS\WinSxS

>> File \Device\NamedPipe\SfcApi

>> File \Device\Tcp

>> File \Device\Ip

>> File \Device\Afd\Endpoint

>> File \Device\Udp

>> File \Device\Afd\AsyncConnectHlp

>> File

>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>> File \Device\LanmanRedirector

>> File \Device\NamedPipe\winlogonrpc

>> File

>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>> File \Device\NamedPipe\winlogonrpc

>> File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}

>> File C:\WINDOWS\system32

>> Key HKCR

>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale

>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts

>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups

>> Key HKCR

>> Key

>> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9

>> Key

>> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Notify\crypt32chain

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Notify\cryptnet

>> Key HKCR\CLSID

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Notify\sclgntfy

>> Key HKLM\SYSTEM\ControlSet001\Control\Lsa

>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

>> Key HKLM\SYSTEM\Setup

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Credentials

>> Key HKU

>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

>> Key HKU

>> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage

>> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

>> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces

>> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters

>> Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet

>> Settings

>> Key HKLM

>> Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

>> Key HKLM\SOFTWARE\Microsoft\Windows

>> NT\CurrentVersion\Winlogon\Notify\WgaLogon

>> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache

>> Key HKCU

>> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam

>> Key HKU\.DEFAULT

>> Key HKCR

>> Key HKLM\SOFTWARE\Microsoft\COM3

>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

>> Key HKLM\SOFTWARE\Microsoft\COM3

>> Key HKU

>> Key HKLM\SOFTWARE\Microsoft\COM3

>> Key HKCR

>> Key HKLM\SOFTWARE\Microsoft\COM3

>> Key HKCR

>> Key HKCR\CLSID

>> Key HKCR

>> KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent

>> Mutant \BaseNamedObjects\userenv: machine policy mutex

>> Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex

>> Mutant \BaseNamedObjects\userenv: user policy mutex

>> Mutant \BaseNamedObjects\userenv: User Registry policy mutex

>> Mutant \BaseNamedObjects\SingleSesMutex

>> Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex

>> Mutant \BaseNamedObjects\ShimCacheMutex

>> Mutant \BaseNamedObjects\WPA_PR_MUTEX

>> Mutant \BaseNamedObjects\WPA_RT_MUTEX

>> Mutant \BaseNamedObjects\WPA_LT_MUTEX

>> Mutant \BaseNamedObjects\WPA_HWID_MUTEX

>> Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX

>> Port \RPC Control\sclogonrpc

>> Port \RPC Control\IUserProfile

>> Port \RPC Control\OLE273DB90569D049E7BB5A549E0AAA

>> Process services.exe(1280)

>> Process lsass.exe(1292)

>> Section \BaseNamedObjects\ShimSharedMemory

>> Section \BaseNamedObjects\Debug.Memory.4d4

>> Section \BaseNamedObjects\WDMAUD_Callbacks

>> Section \BaseNamedObjects\mmGlobalPnpInfo

>> Semaphore

>> \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

>> Semaphore

>> \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

>> Semaphore

>> \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}

>> Thread winlogon.exe(1236): 1240

>> Thread winlogon.exe(1236): 1644

>> Thread winlogon.exe(1236): 3668

>> Thread winlogon.exe(1236): 1240

>> Thread winlogon.exe(1236): 1260

>> Thread winlogon.exe(1236): 2404

>> Thread winlogon.exe(1236): 1268

>> Thread winlogon.exe(1236): 1276

>> Thread winlogon.exe(1236): 1288

>> Thread winlogon.exe(1236): 1380

>> Thread winlogon.exe(1236): 1384

>> Thread winlogon.exe(1236): 1388

>> Thread winlogon.exe(1236): 1420

>> Thread winlogon.exe(1236): 1524

>> Thread winlogon.exe(1236): 2448

>> Thread winlogon.exe(1236): 2212

>> Thread winlogon.exe(1236): 1272

>> Thread winlogon.exe(1236): 2208

>> Thread winlogon.exe(1236): 2004

>> Thread winlogon.exe(1236): 1644

>> Thread winlogon.exe(1236): 2212

>> Thread winlogon.exe(1236): 3516

>> Thread winlogon.exe(1236): 2220

>> Thread winlogon.exe(1236): 1644

>> Thread winlogon.exe(1236): 2220

>> Thread winlogon.exe(1236): 2140

>> Thread winlogon.exe(1236): 2676

>> Thread winlogon.exe(1236): 1644

>> Thread winlogon.exe(1236): 2404

>> Thread winlogon.exe(1236): 2216

>> Thread winlogon.exe(1236): 2404

>> Thread winlogon.exe(1236): 3216

>> Thread winlogon.exe(1236): 328

>> Thread winlogon.exe(1236): 2404

>> Thread winlogon.exe(1236): 3492

>> Timer \BaseNamedObjects\userenv: refresh timer for 1236:1644

>> Timer \BaseNamedObjects\AUTOENRL:MachineEnrollmentTimer

>> Timer \BaseNamedObjects\userenv: refresh timer for 1236:2404

>> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentShellTimer

>> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentTimer

>> Token domain\phil:a359c

>> Token NT AUTHORITY\NETWORK SERVICE:3e4

>> Token NT AUTHORITY\SYSTEM:3e7

>> Token domain\phil:a359c

>> Token NT AUTHORITY\SYSTEM:3e7

>> WindowStation \Windows\WindowStations\WinSta0

>> WindowStation \Windows\WindowStations\WinSta0n

>>

>> Is there a fix for this or a way to calm winlogon.exe down? It doesn't

>> seem to matter how long my session uptime is either since this was only

>> three days old.

>>

>> Thank you in advance. :)

> --

> Phillip Pi

> Senior Software Quality Assurance Analyst

> ISP/Symantec Online Services, Consumer Business Unit

> Symantec Corporation

> http://www.symantec.com

> -----------------------------------------------------

> Email: phillip_pi@symantec.comSYMC (remove SYMC to reply by e-mail)

> -----------------------------------------------------

> Please do NOT e-mail me for technical support. DISCLAIMER: The views

> expressed in this posting are mine, and do not necessarily reflect the

> views of my employer. Thank you.

July 14, 2008

Re: Once in a while, winlogon.exe will hog CPU and makes my Windowsunresponsive.

Re: Once in a while, winlogon.exe will hog CPU and makes my Windowsunresponsive.

Yep: 5.1.2600.2180. So far so good after uninstalling K-Lite Codec Full

Pack. It might be causing my audio to go wacky to make winlogon.exe go

nuts. We'll see...

On 7/14/2008 10:27 AM PT, JS wrote:

> Current version of winmm.dll for Windows SP2 is: "5.1.2600.2180"

> Located in C:\Windows\sytem32

>

> JS

>

> "Phillip Pi" <phillip_pi@symantec.comSYMC> wrote in message

> news:%234aDdIU5IHA.2348@TK2MSFTNGP06.phx.gbl...

>> I did more research today since I had another one earlier today. :(

>> According to Process Explorer v11.20's winlogon.exe's threads properties,

>> WINMM.dll!PlaySoundW+0x77f was the one hogging the CPU (not sure if this

>> was the same as before since I never went this deep). Here's Process

>> Explorer exported log: http://pastebin.ca/1071193 (no wordwrapping since

>> this is wide and expires in 30 days). That sounds like audio so I check my

>> headphones and heard NO sounds. I tried disabling and enabling SoundMAX

>> Integrated Digital Audio in device manager, but that didn't help. I believe

>> I have the latest drivers (2004).

>>

>> On 7/11/2008 1:23 PM PT, Phillip Pi wrote:

>>

>>> Hello.

>>>

>>> I have a strange rare and annoying Windows XP Pro. SP2 (IE6.0 SP2; all

>>> critical updates and optional softwares for SP2) issue that had been

>>> around for three years or so, and I can't figure out what's going on.

>>>

>>> Once in a while (very rare -- maybe once every one/two months?), I

>>> winlogon.exe decides to go nuts and take one of my CPU (have a dual core

>>> Intel P4 Prescott machine). From there, softwares don't respond and some

>>> can't be shut down (e.g., SeaMonkey.exe, Trillian.exe, Outlook.exe) even

>>> if I force end task. When I try to shut down Windows to reboot, it gets

>>> stuck forever and I need to do a force shut down on the power switch on

>>> the Dell Optiplex GX280 case.

>>>

>>> I tried viewing Process Explorer, Process Monitor, event logs, services

>>> via cmd.exe (administrative method freezes/doesn't respond), etc. and

>>> found nothing interesting. Here are the Process Explorer exports:

>>>

>>> From Process Explorer v11.20:

>>>

>>> Process PID Description CPU Company Name

>>> System Idle Process 0 39.13 Interrupts n/a Hardware

>>> Interrupts DPCs n/a Deferred Procedure Calls System

>>> 4 smss.exe 1160 Windows NT Session Manager

>>> Microsoft Corporation

>>> csrss.exe 1208 Client Server Runtime Process Microsoft

>>> Corporation

>>> winlogon.exe 1236 Windows NT Logon Application 50.00

>>> Microsoft Corporation

>>> services.exe 1280 Services and Controller app 0.72

>>> Microsoft Corporation

>>> svchost.exe 1480 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> svchost.exe 1536 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> svchost.exe 456 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> Smc.exe 724 Symantec CMC Smc 0.72 Symantec Corporation

>>> SmcGui.exe 2168 Symantec CMC SmcGui 4.35 Symantec

>>> Corporation

>>> svchost.exe 780 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> svchost.exe 892 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> SNAC.EXE 904 Symantec Network Access Control 0.72

>>> Symantec Corporation

>>> ccSvcHst.exe 1968 Symantec Service Framework Symantec

>>> Corporation

>>> spoolsv.exe 1916 Spooler SubSystem App Microsoft

>>> Corporation

>>> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

>>> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

>>> Symantec Corporation

>>> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

>>> NMSAccess.exe 968 p4ps.exe 1084 P4Webs.exe

>>> 1648 spkrmon.exe 1676 SoundMAX SpeakerMonitor service

>>> Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation

>>> vmware-authd.exe 2192 VMware Authorization Service

>>> VMware, Inc.

>>> vmount2.exe 2704 virtual disk mount service VMware,

>>> Inc.

>>> vmnat.exe 2904 VMware NAT Service VMware, Inc.

>>> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware,

>>> Inc.

>>> alg.exe 2996 Application Layer Gateway Service

>>> Microsoft Corporation

>>> lsass.exe 1292 LSA Shell (Export Version) Microsoft

>>> Corporation

>>> explorer.exe 3228 Windows Explorer Microsoft Corporation

>>> TaskSwitch.exe 3660 ccApp.exe 3100 Symantec User

>>> Session Symantec Corporation

>>> trillian.exe 1700 Trillian Cerulean Studios

>>> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft

>>> Corporation

>>> seamonkey.exe 1012 SeaMonkey mozilla.org

>>> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

>>> procexp.exe 3392 Sysinternals Process Explorer 4.35

>>> Sysinternals - http://www.sysinternals.com

>>>

>>> Process: winlogon.exe Pid: 1236

>>>

>>> Name Description Company Name Version

>>> ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation

>>> 5.01.2600.2180

>>> Apphelp.dll Application Compatibility Client Library Microsoft

>>> Corporation 5.01.2600.2180

>>> Ati2evxx.dll ATI External Event Utility DLL Module ATI Technologies

>>> Inc. 6.14.0010.4123

>>> ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation

>>> 3.05.2284.0000

>>> AUTHZ.dll Authorization Framework Microsoft Corporation

>>> 5.01.2600.2622

>>> Cabinet.dll Microsoft® Cabinet File API Microsoft Corporation

>>> 5.01.2600.2180

>>> CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308

>>> COMCTL32.dll Common Controls Library Microsoft Corporation

>>> 5.82.2900.2982

>>> comctl32.dll User Experience Controls Library Microsoft Corporation

>>> 6.00.2900.2982

>>> comdlg32.dll Common Dialogs DLL Microsoft Corporation

>>> 6.00.2900.2180

>>> COMRes.dll Microsoft Corporation 2001.12.4414.0258

>>> CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180

>>> cryptdll.dll Cryptography Manager Microsoft Corporation

>>> 5.01.2600.2180

>>> cscdll.dll Offline Network Agent Microsoft Corporation

>>> 5.01.2600.2180

>>> cscui.dll Client Side Caching UI Microsoft Corporation

>>> 5.01.2600.2180

>>> ctype.nls DNSAPI.dll DNS Client API DLL Microsoft

>>> Corporation 5.01.2600.3394

>>> fastprox.dll WMI Microsoft Corporation 5.01.2600.2180

>>> GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316

>>> hnetcfg.dll Home Networking Configuration Manager Microsoft

>>> Corporation 5.01.2600.2180

>>> icmp.dll ICMP DLL Microsoft Corporation 5.01.2600.2180

>>> IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation

>>> 5.01.2600.2180

>>> IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912

>>> kerberos.dll Kerberos Security Package Microsoft Corporation

>>> 5.01.2600.2698

>>> kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation

>>> 5.01.2600.3119

>>> locale.nls LPK.DLL Language Pack Microsoft Corporation

>>> 5.01.2600.2180

>>> midimap.dll Microsoft MIDI Mapper Microsoft Corporation

>>> 5.01.2600.2180

>>> MPR.dll Multiple Provider Router DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> MPRAPI.dll Windows NT MP Router Administration DLL Microsoft

>>> Corporation 5.01.2600.2180

>>> MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation

>>> 5.01.2600.2180

>>> msacm32.drv Microsoft Sound Mapper Microsoft Corporation

>>> 5.01.2600.0000

>>> MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation

>>> 5.01.2600.2180

>>> msctfime.ime Microsoft Text Frame Work Service IME Microsoft

>>> Corporation 5.01.2600.2180

>>> MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> msv1_0.dll Microsoft Authentication Package v1.0 Microsoft

>>> Corporation 5.01.2600.2180

>>> MSVCP60.dll Microsoft ® C++ Runtime Library Microsoft Corporation

>>> 6.02.3104.0000

>>> MSVCR70.dll Microsoft® C Runtime Library Microsoft Corporation

>>> 7.00.9466.0000

>>> msvcrt.dll Windows NT CRT DLL Microsoft Corporation

>>> 7.00.2600.3085

>>> mswsock.dll Microsoft Windows Sockets 2.0 Service Provider

>>> Microsoft Corporation 5.01.2600.3394

>>> msxml3.dll MSXML 3.0 SP9 Microsoft Corporation 8.90.1101.0000

>>> msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001

>>> NavLogon.dll Symantec AntiVirus Logon Notification Symantec

>>> Corporation 10.01.0000.0401

>>> NDdeApi.dll Network DDE Share Management APIs Microsoft Corporation

>>> 5.01.2600.2180

>>> NETAPI32.dll Net Win32 API DLL Microsoft Corporation

>>> 5.01.2600.2976

>>> ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180

>>> NTDSAPI.DLL NT5DS Microsoft Corporation 5.01.2600.2180

>>> NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation

>>> 5.01.2600.2180

>>> ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft

>>> Corporation 3.525.1117.0000

>>> odbcint.dll Microsoft Data Access - ODBC Resources Microsoft

>>> Corporation 3.525.1117.0000

>>> ole32.dll Microsoft OLE for Windows Microsoft Corporation

>>> 5.01.2600.2726

>>> OLEAUT32.dll Microsoft Corporation 5.01.2600.3266

>>> PCANotify.dll Winlogon Notification package Symantec Corporation

>>> 11.00.0001.0764

>>> PROFMAP.dll Userenv Microsoft Corporation 5.01.2600.2180

>>> PSAPI.DLL Process Status Helper Microsoft Corporation

>>> 5.01.2600.2180

>>> REGAPI.dll Registry Configuration APIs Microsoft Corporation

>>> 5.01.2600.2180

>>> RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation

>>> 5.01.2600.3173

>>> rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft

>>> Corporation 5.01.2600.2161

>>> rtutils.dll Routing Utilities Microsoft Corporation

>>> 5.01.2600.2180

>>> SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180

>>> SASWINLO.dll SUPERAntiSpyware WinLogon Processor

>>> SUPERAntiSpyware.com 1.00.0000.1046

>>> Secur32.dll Security Support Provider Interface Microsoft

>>> Corporation 5.01.2600.2180

>>> SETUPAPI.dll Windows Setup API Microsoft Corporation

>>> 5.01.2600.2180

>>> sfc.dll Windows File Protection Microsoft Corporation

>>> 5.01.2600.2180

>>> sfc_os.dll Windows File Protection Microsoft Corporation

>>> 5.01.2600.2180

>>> SHELL32.dll Windows Shell Common Dll Microsoft Corporation

>>> 6.00.2900.3241

>>> SHLWAPI.dll Shell Light-weight Utility Library Microsoft

>>> Corporation 6.00.2900.3354

>>> SHSVCS.dll Windows Shell Services Dll Microsoft Corporation

>>> 6.00.2900.3051

>>> sortkey.nls sorttbls.nls sxs.dll Fusion 2.5

>>> Microsoft Corporation 5.01.2600.3019

>>> unicode.nls USER32.dll Windows XP USER API Client DLL

>>> Microsoft Corporation 5.01.2600.3099

>>> USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180

>>> USP10.dll Uniscribe Unicode script processor Microsoft Corporation

>>> 1.420.2600.2180

>>> uxtheme.dll Microsoft UxTheme Library Microsoft Corporation

>>> 6.00.2900.2180

>>> VERSION.dll Version Checking and File Installation Libraries

>>> Microsoft Corporation 5.01.2600.2180

>>> wbemcomn.dll WMI Microsoft Corporation 5.01.2600.2180

>>> wbemprox.dll WMI Microsoft Corporation 5.01.2600.2180

>>> wbemsvc.dll WMI Microsoft Corporation 5.01.2600.2180

>>> wdmaud.drv WDM Audio driver mapper Microsoft Corporation

>>> 5.01.2600.2180

>>> WgaLogon.dll Windows Genuine Advantage Notification Microsoft

>>> Corporation 1.07.0018.0007

>>> WININET.dll Internet Extensions for Win32 Microsoft Corporation

>>> 6.00.2900.3354

>>> winlogon.exe Windows NT Logon Application Microsoft Corporation

>>> 5.01.2600.2180

>>> WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180

>>> WINSCARD.DLL Microsoft Smart Card API Microsoft Corporation

>>> 5.01.2600.2180

>>> WINSPOOL.DRV Windows Spooler Driver Microsoft Corporation

>>> 5.01.2600.2180

>>> WINSTA.dll Winstation Library Microsoft Corporation

>>> 5.01.2600.2180

>>> WINTRUST.dll Microsoft Trust Verification APIs Microsoft

>>> Corporation 5.131.2600.2180

>>> WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> WlNotify.dll Common DLL to receive Winlogon notifications Microsoft

>>> Corporation 5.01.2600.2180

>>> WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft

>>> Corporation 5.01.2600.2180

>>> wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation

>>> 5.01.2600.2180

>>> WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation

>>> 5.01.2600.2180

>>> xpsp2res.dll Service Pack 2 Messages Microsoft Corporation

>>> 5.01.2600.2180

>>>

>>> --

>>>

>>> Process PID Description CPU Company Name

>>> System Idle Process 0 41.18 Interrupts n/a Hardware

>>> Interrupts DPCs n/a Deferred Procedure Calls System

>>> 4 smss.exe 1160 Windows NT Session Manager

>>> Microsoft Corporation

>>> csrss.exe 1208 Client Server Runtime Process Microsoft

>>> Corporation

>>> winlogon.exe 1236 Windows NT Logon Application 50.00

>>> Microsoft Corporation

>>> services.exe 1280 Services and Controller app 0.74

>>> Microsoft Corporation

>>> svchost.exe 1480 Generic Host Process for Win32 Services

>>> 0.74 Microsoft Corporation

>>> svchost.exe 1536 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> svchost.exe 456 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> Smc.exe 724 Symantec CMC Smc 0.74 Symantec Corporation

>>> SmcGui.exe 2168 Symantec CMC SmcGui 2.94 Symantec

>>> Corporation

>>> svchost.exe 780 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> svchost.exe 892 Generic Host Process for Win32 Services

>>> Microsoft Corporation

>>> SNAC.EXE 904 Symantec Network Access Control Symantec

>>> Corporation

>>> ccSvcHst.exe 1968 Symantec Service Framework 0.74

>>> Symantec Corporation

>>> spoolsv.exe 1916 Spooler SubSystem App Microsoft

>>> Corporation

>>> AeXNSAgent.exe 1924 Altiris Agent Altiris, Inc.

>>> AluSchedulerSvc.exe 524 Automatic LiveUpdate Scheduler Service

>>> Symantec Corporation

>>> ntmulti.exe 944 IBM Lotus Notes/Domino IBM Corp

>>> NMSAccess.exe 968 p4ps.exe 1084 P4Webs.exe

>>> 1648 spkrmon.exe 1676 SoundMAX SpeakerMonitor service

>>> Rtvscan.exe 1664 Symantec AntiVirus Symantec Corporation

>>> vmware-authd.exe 2192 VMware Authorization Service

>>> VMware, Inc.

>>> vmount2.exe 2704 virtual disk mount service VMware,

>>> Inc.

>>> vmnat.exe 2904 VMware NAT Service VMware, Inc.

>>> vmnetdhcp.exe 3180 VMware VMnet DHCP service VMware,

>>> Inc.

>>> alg.exe 2996 Application Layer Gateway Service

>>> Microsoft Corporation

>>> lsass.exe 1292 LSA Shell (Export Version) Microsoft

>>> Corporation

>>> explorer.exe 3228 Windows Explorer Microsoft Corporation

>>> TaskSwitch.exe 3660 ccApp.exe 3100 Symantec User

>>> Session Symantec Corporation

>>> trillian.exe 1700 Trillian Cerulean Studios

>>> OUTLOOK.EXE 2952 Microsoft Office Outlook Microsoft

>>> Corporation

>>> seamonkey.exe 1012 SeaMonkey mozilla.org

>>> taskmgr.exe 1616 Windows TaskManager Microsoft Corporation

>>> procexp.exe 3392 Sysinternals Process Explorer 2.94

>>> Sysinternals - http://www.sysinternals.com

>>>

>>> Process: winlogon.exe Pid: 1236

>>>

>>> Type Name

>>> Desktop \Winlogon

>>> Desktop \Disconnect

>>> Desktop \Default

>>> Directory \KnownDlls

>>> Directory \Windows

>>> Directory \BaseNamedObjects

>>> Event \BaseNamedObjects\AUTOENRL:TriggerMachineEnrollment

>>> Event \BaseNamedObjects\crypt32LogoffEvent

>>> Event \BaseNamedObjects\userenv: User Profile setup event

>>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>>> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh

>>> Needs Foreground Processing

>>> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is

>>> done

>>> Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event

>>> Event \BaseNamedObjects\userenv: User Group Policy has been applied

>>> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

>>> Foreground Processing

>>> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

>>> Event \BaseNamedObjects\userenv: User Policy Foreground Done Event

>>> Event \BaseNamedObjects\WinlogonTSSynchronizeEvent

>>> Event \BaseNamedObjects\TS-WPAAE

>>> Event \BaseNamedObjects\ReconEvent

>>> Event \Security\NetworkProviderLoad

>>> Event \BaseNamedObjects\AtiExtEventGSNotificationEvent

>>> Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM

>>> Event \BaseNamedObjects\hardwaremixercallback

>>> Event \BaseNamedObjects\WFP_IDLE_TRIGGER

>>> Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started

>>> Event \BaseNamedObjects\msgina: ReturnToWelcome

>>> Event \BaseNamedObjects\ThemesStartEvent

>>> Event \BaseNamedObjects\DINPUTWINMM

>>> Event \BaseNamedObjects\winlogon: machine GPO Event 70406

>>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>>> Event \BaseNamedObjects\userenv: machine policy refresh event

>>> Event \BaseNamedObjects\userenv: machine policy force refresh event

>>> Event \BaseNamedObjects\userenv: Machine Group Policy has been applied

>>> Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh

>>> Needs Foreground Processing

>>> Event \BaseNamedObjects\userenv: Machine Group Policy Processing is

>>> done

>>> Event \BaseNamedObjects\AgentExistsEvent

>>> Event \BaseNamedObjects\WkssvcToAgentStopEvent

>>> Event \BaseNamedObjects\WkssvcToAgentStartEvent

>>> Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0

>>> Event \BaseNamedObjects\AgentToWkssvcEvent

>>> Event \BaseNamedObjects\PCA_UnlockWksNotify

>>> Event \BaseNamedObjects\PCA_LockWksNotify

>>> Event \BaseNamedObjects\PCA_TAG_TEAM_0

>>> Event \BaseNamedObjects\SENS Started Event

>>> Event \BaseNamedObjects\userenv: user policy force refresh event

>>> Event \BaseNamedObjects\userenv: User Group Policy has been applied

>>> Event \BaseNamedObjects\userenv: User Group Policy Processing is done

>>> Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs

>>> Foreground Processing

>>> Event \BaseNamedObjects\userenv: user policy refresh event

>>> Event \BaseNamedObjects\winlogon: User GPO Event 483671

>>> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

>>> Event \BaseNamedObjects\AUTOENRL:TriggerUserEnrollment

>>> Event \BaseNamedObjects\CscCacheInitCompleteEvent

>>> Event \BaseNamedObjects\ShellReadyEvent

>>> Event \BaseNamedObjects\WlballoonLogoffNotificationEventName

>>> Event \BaseNamedObjects\mixercallback

>>> Event

>>> \BaseNamedObjects\00000000000a359c_WlballoonKerberosNotificationEventName

>>> File \Device\NamedPipe\TerminalServer\AutoReconnect

>>> File

>>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>>> File \Device\KsecDD

>>> File \Device\NamedPipe\InitShutdown

>>> File C:\WINDOWS\system32\dllcache

>>> File

>>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>>> File C:\WINDOWS\AppPatch

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\isapi\_vti_adm

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\_vti_bin\_vti_adm

>>> File C:\WINDOWS\system32

>>> File C:\WINDOWS\Help

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\isapi\_vti_aut

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\_vti_bin\_vti_aut

>>> File C:\WINDOWS\system32\inetsrv

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\bin

>>> File C:\WINDOWS\Fonts

>>> File C:\WINDOWS\system32\drivers

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\servsupp

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\bots\vinavbar

>>> File C:\Program Files\microsoft frontpage\version3.0\bin

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\_vti_bin

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\bin\1033

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\isapi

>>> File C:\WINDOWS

>>> File C:\Program Files\Common Files\Microsoft Shared\DAO

>>> File C:\Program Files\Windows Media Player

>>> File C:\Program Files\Common Files\System\msadc

>>> File C:\Program Files\Common Files\System\ado

>>> File C:\Program Files\Common Files\System\Ole DB

>>> File C:\WINDOWS\inf

>>> File C:\WINDOWS\system

>>> File C:\WINDOWS\msagent

>>> File C:\WINDOWS\msagent\intl

>>> File C:\Program Files\MSN Gaming Zone\Windows

>>> File C:\WINDOWS\PCHealth\HelpCtr\Binaries

>>> File C:\Program Files\NetMeeting

>>> File C:\WINDOWS\system32\drivers\disdn

>>> File C:\WINDOWS\ime\CHTIME\Applets

>>> File C:\WINDOWS\system32\wbem

>>> File C:\WINDOWS\system32\IME\CINTLGNT

>>> File C:\WINDOWS\system32\Com

>>> File C:\WINDOWS\system32\Setup

>>> File C:\WINDOWS\ime\IMJP8_1

>>> File C:\Program Files\Common Files\Microsoft Shared\Triedit

>>> File C:\Program Files\Windows NT

>>> File C:\Program Files\Common Files\System

>>> File C:\WINDOWS\system32\1033

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\admcgi\scripts

>>> File C:\Program Files\Common Files\Microsoft Shared\web server

>>> extensions\40\admisapi\scripts

>>> File C:\WINDOWS\system32\usmt

>>> File C:\WINDOWS\ime\IMKR6_1\Dicts

>>> File C:\WINDOWS\system32\mui\0009

>>> File C:\Program Files\Internet Explorer

>>> File C:\WINDOWS\ime\IMJP8_1\APPLETS

>>> File C:\WINDOWS\ime\IMKR6_1\Applets

>>> File C:\WINDOWS\system32\xircom

>>> File C:\Program Files\Internet Explorer\Connection Wizard

>>> File C:\Program Files\Common Files\Microsoft Shared\MSInfo

>>> File C:\WINDOWS\ime\IMKR6_1

>>> File C:\WINDOWS\ime\SHARED

>>> File C:\WINDOWS\system32\IME\PINTLGNT

>>> File C:\Program Files\Common

>>> Files\SpeechEngines\Microsoft\Lexicon\1033

>>> File C:\WINDOWS\Resources\Themes\Luna

>>> File C:\Program Files\Movie Maker

>>> File C:\WINDOWS\ime

>>> File C:\WINDOWS\srchasst

>>> File C:\Program Files\Outlook Express

>>> File C:\WINDOWS\system32\oobe

>>> File C:\Program Files\Common Files\MSSoap\Binaries

>>> File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033

>>> File C:\WINDOWS\mui

>>> File C:\WINDOWS\system32\npp

>>> File C:\WINDOWS\ime\SHARED\RES

>>> File C:\Program Files\Windows NT\Pinball

>>> File C:\WINDOWS\ime\CHSIME\APPLETS

>>> File C:\WINDOWS\system32\Restore

>>> File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033

>>> File C:\Program Files\Common Files\Microsoft Shared\Speech

>>> File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

>>> File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

>>> File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

>>> File C:\WINDOWS\system32\wbem\snmp

>>> File C:\Program Files\Common Files\SpeechEngines\Microsoft

>>> File C:\Program Files\Common Files\Microsoft Shared\Speech\1033

>>> File C:\WINDOWS\PeerNet

>>> File C:\WINDOWS\system32\spool\drivers\color

>>> File C:\WINDOWS\system32\IME\TINTLGNT

>>> File C:\WINDOWS\Help\Tours\mmTour

>>> File C:\WINDOWS\PCHealth\UploadLB\Binaries

>>> File C:\Program Files\Common Files\Microsoft Shared\VGX

>>> File C:\WINDOWS\system32\wbem\xml

>>> File C:\Program Files\Windows NT\Accessories

>>> File C:\WINDOWS\system32\mui\0401

>>> File C:\WINDOWS\system32\mui\0404

>>> File C:\WINDOWS\system32\mui\0405

>>> File C:\WINDOWS\system32\mui\0406

>>> File C:\WINDOWS\system32\mui\0407

>>> File C:\WINDOWS\system32\mui\0408

>>> File C:\WINDOWS\system32\mui\040b

>>> File C:\WINDOWS\system32\mui\040C

>>> File C:\WINDOWS\system32\mui\040D

>>> File C:\WINDOWS\system32\mui\040e

>>> File C:\WINDOWS\system32\mui\0410

>>> File C:\WINDOWS\system32\mui\0411

>>> File C:\WINDOWS\system32\mui\0412

>>> File C:\WINDOWS\system32\mui\0413

>>> File C:\WINDOWS\system32\mui\0414

>>> File C:\WINDOWS\system32\mui\0415

>>> File C:\WINDOWS\system32\mui\0416

>>> File C:\WINDOWS\system32\mui\0419

>>> File C:\WINDOWS\system32\mui\041b

>>> File C:\WINDOWS\system32\mui\041D

>>> File C:\WINDOWS\system32\mui\041f

>>> File C:\WINDOWS\system32\mui\0424

>>> File C:\WINDOWS\system32\mui\0804

>>> File C:\WINDOWS\system32\mui\0816

>>> File C:\WINDOWS\system32\mui\0C0A

>>> File C:\WINDOWS\system32\mui\0402

>>> File C:\WINDOWS\system32\mui\0418

>>> File C:\WINDOWS\system32\mui\041a

>>> File C:\WINDOWS\system32\mui\041e

>>> File C:\WINDOWS\system32\mui\0425

>>> File C:\WINDOWS\system32\mui\0426

>>> File C:\WINDOWS\system32\mui\0427

>>> File C:\Program Files\xerox\nwwia

>>> File C:\WINDOWS\WinSxS

>>> File \Device\NamedPipe\SfcApi

>>> File \Device\Tcp

>>> File \Device\Ip

>>> File \Device\Afd\Endpoint

>>> File \Device\Udp

>>> File \Device\Afd\AsyncConnectHlp

>>> File

>>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>>> File \Device\LanmanRedirector

>>> File \Device\NamedPipe\winlogonrpc

>>> File

>>> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

>>> File \Device\NamedPipe\winlogonrpc

>>> File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}

>>> File C:\WINDOWS\system32

>>> Key HKCR

>>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale

>>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts

>>> Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups

>>> Key HKCR

>>> Key

>>> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9

>>> Key

>>> HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5

>>> Key HKLM\SOFTWARE\Microsoft\Windows

>>> NT\CurrentVersion\Winlogon\Notify\crypt32chain

>>> Key HKLM\SOFTWARE\Microsoft\Windows

>>> NT\CurrentVersion\Winlogon\Notify\cryptnet

>>> Key HKCR\CLSID

>>> Key HKLM\SOFTWARE\Microsoft\Windows

>>> NT\CurrentVersion\Winlogon\Notify\sclgntfy

>>> Key HKLM\SYSTEM\ControlSet001\Control\Lsa

>>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

>>> Key HKLM\SYSTEM\Setup

>>> Key HKLM\SOFTWARE\Microsoft\Windows

>>> NT\CurrentVersion\Winlogon\Credentials

>>> Key HKU

>>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

>>> Key HKU

>>> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage

>>> Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

>>> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces

>>> Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters

>>> Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet

>>> Settings

>>> Key HKLM

>>> Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

>>> Key HKLM\SOFTWARE\Microsoft\Windows

>>> NT\CurrentVersion\Winlogon\Notify\WgaLogon

>>> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache

>>> Key HKCU

>>> Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam

>>> Key HKU\.DEFAULT

>>> Key HKCR

>>> Key HKLM\SOFTWARE\Microsoft\COM3

>>> Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

>>> Key HKLM\SOFTWARE\Microsoft\COM3

>>> Key HKU

>>> Key HKLM\SOFTWARE\Microsoft\COM3

>>> Key HKCR

>>> Key HKLM\SOFTWARE\Microsoft\COM3

>>> Key HKCR

>>> Key HKCR\CLSID

>>> Key HKCR

>>> KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent

>>> Mutant \BaseNamedObjects\userenv: machine policy mutex

>>> Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex

>>> Mutant \BaseNamedObjects\userenv: user policy mutex

>>> Mutant \BaseNamedObjects\userenv: User Registry policy mutex

>>> Mutant \BaseNamedObjects\SingleSesMutex

>>> Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex

>>> Mutant \BaseNamedObjects\ShimCacheMutex

>>> Mutant \BaseNamedObjects\WPA_PR_MUTEX

>>> Mutant \BaseNamedObjects\WPA_RT_MUTEX

>>> Mutant \BaseNamedObjects\WPA_LT_MUTEX

>>> Mutant \BaseNamedObjects\WPA_HWID_MUTEX

>>> Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX

>>> Port \RPC Control\sclogonrpc

>>> Port \RPC Control\IUserProfile

>>> Port \RPC Control\OLE273DB90569D049E7BB5A549E0AAA

>>> Process services.exe(1280)

>>> Process lsass.exe(1292)

>>> Section \BaseNamedObjects\ShimSharedMemory

>>> Section \BaseNamedObjects\Debug.Memory.4d4

>>> Section \BaseNamedObjects\WDMAUD_Callbacks

>>> Section \BaseNamedObjects\mmGlobalPnpInfo

>>> Semaphore

>>> \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

>>> Semaphore

>>> \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

>>> Semaphore

>>> \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}

>>> Thread winlogon.exe(1236): 1240

>>> Thread winlogon.exe(1236): 1644

>>> Thread winlogon.exe(1236): 3668

>>> Thread winlogon.exe(1236): 1240

>>> Thread winlogon.exe(1236): 1260

>>> Thread winlogon.exe(1236): 2404

>>> Thread winlogon.exe(1236): 1268

>>> Thread winlogon.exe(1236): 1276

>>> Thread winlogon.exe(1236): 1288

>>> Thread winlogon.exe(1236): 1380

>>> Thread winlogon.exe(1236): 1384

>>> Thread winlogon.exe(1236): 1388

>>> Thread winlogon.exe(1236): 1420

>>> Thread winlogon.exe(1236): 1524

>>> Thread winlogon.exe(1236): 2448

>>> Thread winlogon.exe(1236): 2212

>>> Thread winlogon.exe(1236): 1272

>>> Thread winlogon.exe(1236): 2208

>>> Thread winlogon.exe(1236): 2004

>>> Thread winlogon.exe(1236): 1644

>>> Thread winlogon.exe(1236): 2212

>>> Thread winlogon.exe(1236): 3516

>>> Thread winlogon.exe(1236): 2220

>>> Thread winlogon.exe(1236): 1644

>>> Thread winlogon.exe(1236): 2220

>>> Thread winlogon.exe(1236): 2140

>>> Thread winlogon.exe(1236): 2676

>>> Thread winlogon.exe(1236): 1644

>>> Thread winlogon.exe(1236): 2404

>>> Thread winlogon.exe(1236): 2216

>>> Thread winlogon.exe(1236): 2404

>>> Thread winlogon.exe(1236): 3216

>>> Thread winlogon.exe(1236): 328

>>> Thread winlogon.exe(1236): 2404

>>> Thread winlogon.exe(1236): 3492

>>> Timer \BaseNamedObjects\userenv: refresh timer for 1236:1644

>>> Timer \BaseNamedObjects\AUTOENRL:MachineEnrollmentTimer

>>> Timer \BaseNamedObjects\userenv: refresh timer for 1236:2404

>>> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentShellTimer

>>> Timer \BaseNamedObjects\AUTOENRL:UserEnrollmentTimer

>>> Token domain\phil:a359c

>>> Token NT AUTHORITY\NETWORK SERVICE:3e4

>>> Token NT AUTHORITY\SYSTEM:3e7

>>> Token domain\phil:a359c

>>> Token NT AUTHORITY\SYSTEM:3e7

>>> WindowStation \Windows\WindowStations\WinSta0

>>> WindowStation \Windows\WindowStations\WinSta0n

>>>

>>> Is there a fix for this or a way to calm winlogon.exe down? It doesn't

>>> seem to matter how long my session uptime is either since this was only

>>> three days old.

>>>

>>> Thank you in advance. :)

--

Phillip Pi

Senior Software Quality Assurance Analyst

ISP/Symantec Online Services, Consumer Business Unit

Symantec Corporation

http://www.symantec.com

-----------------------------------------------------

Email: phillip_pi@symantec.comSYMC (remove SYMC to reply by e-mail)

-----------------------------------------------------

Please do NOT e-mail me for technical support. DISCLAIMER: The views

expressed in this posting are mine, and do not necessarily reflect the

views of my employer. Thank you.

Sign In

Once in a while, winlogon.exe will hog CPU and makes my Windows unresponsive.

Recommended Posts

Guest Phillip Pi

Popular Days

Popular Days

Guest JS

Guest Phillip Pi

Guest Phillip Pi

Guest JS

Guest Phillip Pi

Browse

Activity

Site Info