Note: Please do not post Personally Identifiable Information like email address, personal phone number, physical home address, product key etc.
Issue abstract: winlogon.exe flagged as malware
Detailed description: since a couple of months, i get the pop-up from the screenshot over and over again. The file is signed by MS. Scans of the system32 folder by Norton itself don’t bring anything up, as do scans by Windows defender, Malwarebytes and ESET. Also, submitting the file to Virustotal shows it as clean. The last scan of winlogon.exe there always shows up as recent, btw.
Product & version number: 360 25.10528.959
OS details: W11 25H2 26200.6899
What is the error message you are seeing? See screenshot
If you have any supporting screenshots, please add them:
Were my machine and I wanted reassurance.
I’d ask Malwarebytes Malware Removal Help Forums [here] to check my machine.
====================================
AI Mode
The file winlogon.exe is a critical and legitimate Windows system process responsible for user logon/logoff, loading user profiles, and handling the secure attention sequence (Ctrl+Alt+Delete).
However, malware often disguises itself by using the same name and placing the malicious file in a different location. The Win32:Malware-gen flag is a generic detection for suspicious behavior, which could indicate the file is indeed malware.
Steps to Verify the File
Check the File Location: The legitimate winlogon.exe is only located in C:\Windows\System32\.
Open Task Manager by pressing Ctrl+Shift+Esc or Ctrl+Alt+Delete and selecting Task Manager.
Go to the “Details” tab (or “Processes” and expand “Windows processes” in newer Windows versions).
Right-click on winlogon.exe and select “Open file location”.
If it opens a folder other than C:\Windows\System32\ (e.g., a subfolder of C:\Users\ or C:\Windows\Temp\), the file is almost certainly malicious.
Verify the Digital Signature (if possible):
Right-click the winlogon.exe file in the C:\Windows\System32\ folder and select Properties > Digital Signatures tab.
It should be signed by Microsoft.
Use an Online Scanner (if suspicious): If the location is incorrect, or you are still unsure, you can upload the file to a service like VirusTotal for multiple antivirus engines to scan it.
Immediate Actions if Malware is Confirmed
If the file is confirmed to be in an incorrect location:
Disconnect from the Internet: This prevents the malware from communicating with external servers.
Boot into Safe Mode: This loads only essential drivers and services, which may prevent the malware from running and make it easier to remove.
Run a Full Antivirus Scan: Use your installed antivirus software to run a full system scan. The Win32:Malware-gen detection means your AV has already found something, so make sure it takes the appropriate “clean” action.
Use a Second-Opinion Scanner: Download and run a reputable anti-malware program like Malwarebytes (free version) as a second opinion, as different programs catch different things.
Use Microsoft’s Malicious Software Removal Tool (MRT): Type mrt in the Windows search bar and run the tool for an additional scan.
Important: Do not attempt to manually delete the legitimate winlogon.exe file from C:\Windows\System32\ as this will cause your system to become unusable and crash. The infected system files need to be replaced by clean ones, a process your antivirus software handles, or a full system reinstall may be necessary in severe cases.
AI Mode may make mistakes
=========================================
AI Mode
The file winlogon.exe is a vital and legitimate Windows system process. The Norton 360 Win32:Malware-gen alert indicates Norton’s heuristic analysis found suspicious patterns or behaviors that are consistent with generic malware, suggesting two possibilities: the file is either legitimate but triggering a false positive, or it is a malicious file disguised with the same name.
Determine if the File is Legitimate
The most critical factor is the file’s location:
Open Task Manager: Press Ctrl+Shift+Esc.
Locate winlogon.exe: Go to the “Details” tab, right-click the process, and select “Open file location”.
Verify the Path:
Legitimate location:C:\Windows\System32\.
Malware location: If the folder is any other location (e.g., C:\Users\, C:\Windows\Temp\, or a folder with a slightly different name like winlogin.exe), then it is malware.
Check the Digital Signature: Right-click the file in C:\Windows\System32\, select Properties, go to the Digital Signatures tab, and confirm it is signed by Microsoft.
Actions to Take
If the file is malicious:
Trust Norton 360: Allow Norton to quarantine or remove the file. Win32:Malware-gen is a generic detection, so the behavior warranted a flag.
Disconnect from the Internet: This limits the malware’s ability to communicate or spread.
Boot into Safe Mode: This can prevent the malware from loading and running, making it easier to clean.
Run a Full System Scan: Perform a thorough scan with Norton 360.
Use a Second-Opinion Scanner: Run a scan with another reputable, free anti-malware program like Malwarebytes to ensure comprehensive removal.
If the file is legitimate (in C:\Windows\System32\ and signed by Microsoft):
Confirm a False Positive: You are likely experiencing a false positive, where Norton’s heuristic analysis flagged a legitimate system process.
Ensure Norton is Updated: Run Norton LiveUpdate to get the latest virus definitions, as an older definition might be the cause of the false positive.
Submit to Norton Labs: If the issue persists with up-to-date definitions, you can submit the file as a false positive report to Norton via their official community forum or submission link.
Exclude the File (Use Caution): Only if you are 100% certain the file is legitimate, you can add an exclusion in Norton 360 settings, but this is generally not recommended for critical system files unless you are an advanced user.
AI Mode may make mistakes
=======================================
AI Mode
To submit a false positive report to Norton, you must use their official online Norton Submission Portal. This allows their security team to analyze the file and update their virus definitions if necessary.
Steps to Submit a False Positive
Verify it is a false positive: First, confirm the winlogon.exe file is indeed in the correct, legitimate location: C:\Windows\System32\. Do not submit a file that is in an unusual location.
Go to the Norton Submission Portal: Navigate to https://submit.norton.com/ in your web browser.
Select your product version: The portal will ask you to select your Norton app version (e.g., Norton 360, version 24.x or newer). You can find this information by opening your Norton product and going to Help > About or Settings > About.
Choose the submission type:
Click on “URL and File Submission” (for newer versions) or “File Submission” (for older versions).
Select “Open submit form” under the “False positive” option.
Fill out the form:
Enter your email address.
Select “File” in the top panel.
Provide the Detection name (Win32:Malware-gen) and the Alert ID (found at the bottom of the Norton alert pop-up).
Add a description explaining that this is the legitimate winlogon.exe located in C:\Windows\System32\ and you believe it is a false positive.
Upload the file:
You will need to browse for the winlogon.exe file in the C:\Windows\System32\ directory.
To meet submission guidelines, you may need to place the sample file within a ZIP or RAR archive.
Crucially, the archive must not be password-protected.
Uploads can be a maximum size of 500 MB.
Submit the report: Tick the reCAPTCHA box and click “Submit”.
What Happens Next
The submitted file will be analyzed by Norton’s security research team.
They aim to address the issue and release updated definitions within approximately 48 hours.
You can check the status of your submission using the Request ID provided after submission.
Ensure your Norton product has the latest definition updates by running LiveUpdate periodically, as the issue may be resolved automatically with an update.
AI Mode may make mistakes
=================================
fwiw ~ from my W11 25H2
C:\Windows\System32\winlogon.exe
Gribouille342, bjm Thanks for your replies. The file is in the right location. Besides the copies (WinSxS) and mui versions windows itself keeps, there are no other present. Actually, since this has been going on for months I vaguely remember having it uploaded as a false positive already. Heard nothing back. Submitted it (again) just now. @BJM Atm, as you can see in the link I provided to Virustotal, you and I are on the same version of the file. I will look into the forum you mentioned.
Yes, I wanted to confirm your VT report.
Yes, we’ll watch for your Malwarebytes thread.
I’ll imagine …“Abuse prevention” is Exploit Prevention? or Intrusion Prevention?
Thanks
Learn more about Exploit Prevention here
Learn more about Intrusion Prevention here
=================================
AI Mode winlogon.exe is the legitimate Windows Logon Application, a critical system process responsible for managing user login and logout, the secure attention sequence (Ctrl+Alt+Delete), loading user profiles, and controlling screen savers.
The number [1632] is the Process ID (PID), a unique identifier assigned by the operating system to that specific running instance of winlogon.exe. This number is dynamic and will be different every time the system starts or the process is created.
Key Details
Function:winlogon.exe is essential for the security and proper functioning of Windows. It ensures that the login process occurs on a secure, isolated desktop where other applications cannot monitor your credentials.
Location: The genuine file is located exclusively in the C:\Windows\System32 folder.
Security: The legitimate winlogon.exe is a safe, signed Microsoft file. Terminating it will cause the system to become unusable or shut down.
Malware: Malware authors sometimes name their malicious processes winlogon.exe (or use a similar name like winlogin.exe) to hide. A fake winlogon.exe will typically be found in a different directory, use unusually high CPU/memory, or have an unusual file size.
In summary, winlogon.exe[1632] is simply the Windows Logon process running with a specific, temporary identifier.
AI Mode may make mistakes
========================================
AI Mode
If malware mimics winlogon.exe (e.g., with PID 1632), it indicates a serious system infection, as the malware is likely trying to hide its presence and evade detection by security software and users. The specific PID (1632) is less important than the file name and behavior, as PIDs are temporary identifiers.
The consequences of such an infection can be severe and include:
Credential Theft: Since the legitimate winlogon.exe handles the user login process, a malicious imitation could log your keystrokes (keylogging) or capture your usernames and passwords directly when you log in.
System Compromise: Malware running under the name of a critical system process often gains high-level privileges, allowing it to bypass access controls and security measures.
Defense Evasion: By using a trusted name and potentially trying to run from a trusted location, the malware attempts to blend in with legitimate system activity, making it harder for traditional antivirus programs to flag it as malicious.
Persistence: The malware may modify system registry keys, specifically those related to Winlogon helper DLLs or Userinit, to ensure it runs every time the system boots or a user logs on.
Resource Hijacking: An infected system may experience slow performance, frequent crashes, or high CPU usage, as the malicious process consumes system resources for its own purposes, such as cryptocurrency mining or being part of a botnet.
Further Infection: The initial malware could install additional, more potent malicious payloads, such as remote access trojans (RATs) that allow attackers to take full control of the computer remotely.
How to Identify a Malicious Instance
You can typically identify a fake winlogon.exe by checking certain properties in the Task Manager or using specialized tools like Sysinternals Process Explorer:
Location: The only legitimate location for winlogon.exe is C:\Windows\System32\. A file with the same name anywhere else (e.g., in C:\Users\AppData\Local\ or C:\Windows\) is almost certainly malicious.
Digital Signature: The genuine file will be digitally signed by Microsoft.
Behavior: The legitimate process runs consistently and does not usually exhibit unusually high CPU or memory usage unless there is a specific system issue. A fake one might show spikes in resource use or attempt to make unauthorized network connections.
Inability to Terminate: Attempting to end a critical system process like the legitimate winlogon.exe will cause a system error or shutdown. Malware might mimic this behavior to prevent manual termination, or conversely, a fake process might terminate without a system impact, revealing it is not the real system process.
If you suspect an infection, immediately disconnect the computer from the internet and run a full scan with a reputable, up-to-date security program.
‘Misbruikpreventie’ must be the prevention mentioned under security - advanced - ….prevention. I am now trying to see what disabling one (after another) setting there will do …
There is never any discrepancy between the PID Norton comes up with in its alert and the PID of the winlogon.exe located in indeed system 32.
Well, thanks to you I learned Norton flags my valid winlogon.exe as doing suspicious kernel calls … Disabling this detection gets rid of the pop-up.
The only thing I can come up with as to the cause of detection is my Elan fingerprint driver which dates back to end of 21, would need an update.
Didn’t get any reaction on my recent, second false positive report from them. Perhaps that’s because There is no ID in the pop-up Norton requires in a false positive report.
Also remarkable that the detections don’t show up in the security history.
Any other thoughts than leaving suspicious kernel calls detection disabled?
Will you explore the (detection) issue? with Malwarebytes Malware Removal Help Forums here
Will you explore whether Elan fingerprint driver needs an update? here or here or here or ?
Hardware ID is USB\VID_04F3&PID_0C7F&REV_0164 Windows offers me nothing. When searching the catalogue, leaving out revision, I get loads of what seems to me the same driver package just a few months more recent.
Windows catalogue comes up with 10 lines with the feb 2022 driver for my hardware id. Looks like all of these are one of only 2 packages. Took the plunge and updated. Driver works as it should. Re-enabled the Norton setting and waiting …
Well, this few days later - not having seen the detection again - I think I can say it’s gone.
Though I’m happy after having been bugged for many months, I’m also not holding my breath. I have a hard time believing the slight bump in the fingerprint driver version did it. Or the update of the Norton app to 25.11 that came right after the driver update.
And who knows, without installing the driver and simply only moving the suspicious kernel calls slider back to on would have also done the trick.
What I do know is I’m glad I came here. Apparently it was necessary. Thank you @bjm and @Gribouille342!
