new winlogon.exe

A few days ago I started getting a warning that winlogon.exe had been replaced.

Since I had never encountered this before and being unable to discern an obvious culprit based on limited activity at that time and suspecting malware as the cause, I updated Adaware, Spybot, A2, Swatit, etc…, and performed scans, with no actual malware found. In retrospect, the only thing that appears as potentially obvious is that about that point in time I applied M$’s Security Updates KB841533, KB873376, KB834707, KB841356, and KB840987 (I am still running XP SP1…). Would I be safe to conclude that the security updates changed winlogon given that no malware was found (yes, the winlogon exe exists in window\system32, but not in \windows…)?

 

Hello keywester,

FWIW, my version on an XP Home SP2 system:

size = 490 KB, version 5.1.2600.2180

Locations: \System32 and in \ServicePackFiles\i386

Regards - Charles

 

"I started getting a warning that winlogon.exe had been replaced "

What does this mean? Who gave you the error? What exactly did it say?

 

It is a warning message from System Safety Monitor - the text of which basically indicates something to the effect that the exe has the same name but is not the same exe... will post back with exact text if necessary but the bottom line is that the exe has been updated or replaced...

 

I run SSM as well, and got a slew of new version warnings w/ install of SP2 - don't remember winlogon specifically. Since then have the newest SSM version w/o that original config file, so can't check it that way.

Went back into SP2's uninstall file - pre SP2 windows, and sure enough that version of winlogon is 5.1.2600.1106 - size is 504 KB.

So I would say that since SP2 incorporates patches that you're downloading for SP1, that this is legit.

Regards - Charles