# multiple winlogon.exe using 100% CPU



## MikeWebaloo (Oct 29, 2010)

Hello,

I am running a 2003 Server that is pegged at 100% CPU. It looks like the offending processes are about 7 separate "winlogon.exe" processes using 100% of the CPU. I'm thinking this might be an outside attack trying to RDP into our server. How do I find which IP addresses are doing this and block them from trying to connect?

Thanks,
-Mike


----------



## ameharhughes (Oct 26, 2010)

how many is mutiple?

I know there are 5 locations of the winlogon.exe and all are legit.

C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe 
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
C:\I386\winlogon.exe


----------



## ameharhughes (Oct 26, 2010)

another, just remembered, 

I may be wrong but if you have TS role and several users login or off then this could be why.
are the processes a constant or come and go


----------



## MikeWebaloo (Oct 29, 2010)

The processes come and go. They will close after a few seconds, and then re-open with a new PID. There is usually 7 or so open at a time. Only 2 of us in our office have RDP access to this server. Seems like either an application logging in/out or outside RDP access attempts.


----------



## Wand3r3r (Sep 17, 2010)

look at your security event viewer logs

if you think its from the outside, cut the internet connection. If they disappear you have been hacked and need to respond accordingly.

If it still continues after the internet connection cut scan for malware /virus's and/or disable RDP in the meantime as you further troubleshoot the issue.


----------



## ameharhughes (Oct 26, 2010)

wand3r3r's right its really a process of elimination

cut the net from the server and go from there


----------



## test500 (Dec 11, 2010)

I'm having the exact same issue with all of my Windows 2003 servers. It seems like somebody trying to guess password of rdp with a hack tool. 

When a new connection attempt occurs, 2 new process run winlogon.exe and csrss.exe ... Sometimes more than 5 concurrent connections occur which eats up lots of CPU and RAM..

Is there a way to detect the source of this connection attempts and prevent it? There is no setting in RDP options to block IP address after several unsuccessful connection attempts..

I can only open Terminal Services Manager and right click on sessions select disconnect or reset but it doesn't work always, I can't even keep up with new sessions created each seconds and disconnected in 1 sec.

Can somebody help?


----------

