+ Post New Thread
Results 1 to 14 of 14
Windows Thread, winlogon hogging CPU in Technical; Got a new one to me at least on a PC in school... The machine is running ok but as ...
  1. #1
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118

    winlogon hogging CPU

    Got a new one to me at least on a PC in school...

    The machine is running ok but as soon as someone logs in with a domain account or the local account with the LAN line plugged in winlogon.exe service just sits there and hogs the CPU and will not let go.

    According to the teacher it's been this way for a week (nice to be told so soon) and started when he'd asked two children to log him off and log themselves in.

    Knowing the class, it's possible but unlikely that they did anything malicious or stupid and I'm not sure how they would get to a virii' or malware site with the filters in place so I'm thinking it's more likely to be a profile (we use roaming profiles in that school) corruption or similar.


    I've done some googling but can't tie this one down so to date I've tried:
    - running Spybot S&D (nothing at all found) as Local Admin
    - updating the graphics driver (this was reported as a possible cause for a crash)
    - running in safe mode and checking for bad drivers, etc... (none found)
    - turning print spooler service to manual (reported as a possible vector)


    Beyond that I'm a bit clueless and lo my EventID.net subscription just ran out too (how ironic!) so any suggestions?

  2. #2
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    Is it single core, non hyperthreading with XP, windows update server (with office updates)? Does it stop at all (say after 30 mins)?

  3. #3

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,236
    Thank Post
    1,057
    Thanked 1,067 Times in 624 Posts
    Rep Power
    740
    Checkout:

    http://www.pcreview.co.uk/startup/winlogon.exe.php

    There are quite a few nasties which tie itself into Winlogon.exe
    Maybe worth a double check.....

  4. #4
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by DMcCoy View Post
    Is it single core, non hyperthreading with XP, windows update server (with office updates)? Does it stop at all (say after 30 mins)?
    - Single core AMD 3000+ CPU (939)
    - XP system
    - WSUS server supplies updates
    - yes to office updates also

    I sat around for at least 20 minutes waiting for the damned thing to do much of anything and the wuauclt.exe was sat in the process list (tried killing it a few times) although that and svchost were pulling absolutely zero CPU time so I had my doubts..

    I'm assuming you're referring to the old winupdate "fun" that was had a few months back?

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,421
    Thank Post
    10
    Thanked 486 Times in 426 Posts
    Rep Power
    110
    I was just wondering, the "fix" from ms just stops it crashing, it still uses all the cpu for ages. you could disable the update service in safe mode and reboot, ifs its still bad, its not that. Disable AV to test too.

    Edit: ah, winlogon, not svchost. It's been a while

    winlogon is more tricky :/

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    I had a problem very similar to this, when someone logged on they just got a blank screen and under closer inspection one of the processes was locked up.

    It turned out to be a combination of an old group policy added by someone else that was trying to trigger an application that no longer existed on logon and a script that was running to create shortcuts that was pointing to a server that had been replaced.

  7. #7
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Just thought I'd feedback on this as I appear to have solved it...

    This is what I went through in order:
    - installed and scanned with spybot
    - immunised with spybot
    - scanned with sophos (which wasn't updating properly)

    Still nothing... what seemed to work was:
    - deleted all offline files
    - disabled sophos from starting automatically
    - rebooted
    - reinstalled sophos from the enterprise console

    it's now chuntering along happily...


    My guess is that there was some file or setting that got corrupted in the roaming profile (yes, yes!) and that was hanging things up.

    Cheers all for their suggestions..

  8. Thanks to contink from:

    Netman (8th February 2008)

  9. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Just to clear up the ""fix" from ms just stops it crashing" is not quite correct, it moved the process so it didn't interfere with the GUI and improved CPU use so if another process needed servicing it could get a request in sideways.

    Glad you sorted the issue anyway.

  10. #9
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by cookie_monster View Post
    Just to clear up the ""fix" from ms just stops it crashing" is not quite correct, it moved the process so it didn't interfere with the GUI and improved CPU use so if another process needed servicing it could get a request in sideways.

    Glad you sorted the issue anyway.
    Yup... that's the winupdate jobby which in this instance wasn't a factor or else I would have seen scvhost.exe running up the CPU like a mad thing... For all that once winlogon finally left well alone that didn't happen for 2 minutes but it was well behaved

  11. #10

    Join Date
    Jun 2007
    Location
    Gwernyfed High School
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have a very similar problem, except this is a bit worse, not only is winlogon.exe using excessive CPU it is also eating the network bandwidth (Often going to 100% in the task manager page) I just spent last week moving user profiles to a new server that was installed about 2 months ago due to a server failure. I tested loads of accounts on a test PC and they all worked fine, in fact when logging on the second time it was real quick.

    Then I went to test that it would work on the actual users machine and this is when I found the problem. I have uninstalled Sophos and reinstalled and that does not seem to work. So now as a precaution I have disabled the install of sophos in GP and uninstalled. This does seem to make a difference but, still chewing up bandwidth, as all profiles run over the network this will be a problem, especially when the users all login.

    I did some more investigation to see if the problem had some specifics and hey presto I found out that it is a Fujitsu Siemens tower model that is having the problem. It does seem to be just these machines which I suppose is a help. Can anybody give me any suggestions as to what this problem could be, yes the profiles are roaming (if that is the cause I think it is machine specific). Running a win2003 network.

  12. #11

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    @nconstantinescu - You might want to try enabling userenv logging on one of those machines which should be able to narrow the culprit down.

    This along with packet sniffing the computer during a login was how I ended up tracking down my issues.

  13. #12

    Join Date
    Jun 2007
    Location
    Gwernyfed High School
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the reply, one thing I have noticed is an app error in the event log

    HTML Code:
    Userenv Event 1525 Is Logged
    View products that this article applies to.
    Article ID : 325838 
    Last Review : September 22, 2006 
    Revision : 2.0 
    This article was previously published under Q325838
    SUMMARY
    Userenv event 1525 may appear in the application event log:
    Event Type: Warning
    Event Source: Userenv
    Event Category: None
    Event ID: 1525
    Date: 7/3/2002
    Time: 3:42:11 PM
    User: Name1\Name2
    Computer: Computer
    Description:
    Windows has detected that Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption, Offline Caching must be disabled on shares where roaming user profiles are stored. 
    
    For more information, see Help and Support Center at http://support.microsoft.com.
    This event may occur if the following conditions exist: A Windows XP-based computer is member of a Microsoft Windows NT 4.0-based domain or of a Microsoft Windows 2000-based domain. 
     You put the roaming profile of a domain user on a Windows NT 4.0-based server. 
     You log on as this user from a Windows XP-based computer. 
    
    MORE INFORMATION
    The warning is recorded in the log to notify the administrator that it is possible for the client to cache files from that share. Although you cannot set caching on Windows NT 4.0-based shares, Client Side Caching (CSC) interprets the lack of caching options as manual caching. Therefore, as far as CSC is concerned, the Windows NT 4.0-based share is cacheable. This can permit profiles to be cached. The warning notifies administrators of this issue.
    How do I disable offline caching (as usual with MS not that helpful a log), is there a way to do this in GP. It may not be a cause of the above problem but it another one crossed off the list.

  14. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by nconstantinescu View Post
    Thanks for the reply, one thing I have noticed is an app error in the event log

    HTML Code:
    Userenv Event 1525 Is Logged
    View products that this article applies to.
    Article ID : 325838 
    Last Review : September 22, 2006 
    Revision : 2.0 
    This article was previously published under Q325838
    SUMMARY
    Userenv event 1525 may appear in the application event log:
    Event Type: Warning
    Event Source: Userenv
    Event Category: None
    Event ID: 1525
    Date: 7/3/2002
    Time: 3:42:11 PM
    User: Name1\Name2
    Computer: Computer
    Description:
    Windows has detected that Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption, Offline Caching must be disabled on shares where roaming user profiles are stored. 
    
    For more information, see Help and Support Center at http://support.microsoft.com.
    This event may occur if the following conditions exist: A Windows XP-based computer is member of a Microsoft Windows NT 4.0-based domain or of a Microsoft Windows 2000-based domain. 
     You put the roaming profile of a domain user on a Windows NT 4.0-based server. 
     You log on as this user from a Windows XP-based computer. 
    
    MORE INFORMATION
    The warning is recorded in the log to notify the administrator that it is possible for the client to cache files from that share. Although you cannot set caching on Windows NT 4.0-based shares, Client Side Caching (CSC) interprets the lack of caching options as manual caching. Therefore, as far as CSC is concerned, the Windows NT 4.0-based share is cacheable. This can permit profiles to be cached. The warning notifies administrators of this issue.
    How do I disable offline caching (as usual with MS not that helpful a log), is there a way to do this in GP. It may not be a cause of the above problem but it another one crossed off the list.
    In GP you might try:
    Computer Configuration -> Administrative Templates -> System -> User Profiles -> Delete Cached copies of Roaming Profiles

    Just don't do this on the laptops as then they won't be able to log in off site. For refference I have never known this event log entry to cause any real problems like the one you are having.

  15. #14
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Just to note this problem re-occured about a week back...

    It seems the solution is to remove the computer from the domain using the local admin account... Then you re-add it again..

    Bizarrely this seems to do the trick... Wish I'd tried it before a repair, etc...

SHARE:
+ Post New Thread

Similar Threads

  1. Customising Winlogon error messages
    By jman167 in forum Windows
    Replies: 1
    Last Post: 18th October 2007, 02:42 PM
  2. Replies: 3
    Last Post: 16th May 2007, 06:58 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •