What is winlogon.exe -SpecialSession?

4

1

I'm running Windows 8 Enterprise. A couple of times now, I've noticed multiple winlogon.exe processes running (accompanied by as many extra csrss.exe and dwm.exe). Today I saw one extra, but the first time I noticed it, there were five or six extra.

Process Explorer shows that they're all indeed C:\Windows\System32\winlogon.exe, but the extra ones have been started with the flag -SpecialSession, and that its parent process no longer exists.

Malware scans with Malwarebytes and Spybot S&D haven't shown anything, and Windows Defender has remained silent.

What is this -SpecialSession option and where could these extra instances be coming from? Google seems to know nothing about it.

user1454265

Posted 2013-01-15T18:39:48.553

Reputation: 161

Intreiging question, would this debugger help? http://msdn.microsoft.com/en-gb/library/windows/hardware/ff541428(v=vs.85).aspx

– Guy Thomas – 2013-01-15T22:46:19.230

Answers

3

I also see this behavior since I upgraded to Windows 8. I did an in-place upgrade over windows 7, FWIW. I don't have enough points to comment, so I'm writing this as an answer.

There is a clear pattern that each set of orphaned winlogon.exe and its child processes are likely an artifact of the new "Fast boot/hybrid sleep" feature of windows 8. By default Windows 8 does not shutdown completely. When you select "Shutdown" from the charms bar, what actually happens is that you get logged out, but instead of shutting down, Windows hibernates. This way when you turn it back on, it resumes from hibernation at your login prompt, instead of a full boot up.

Presently my oldest set of processes are 12 days old, but I shut down my computer every day. I have about 12 of these process groups.

I haven't observed any adverse side effects yet, but I'll try disabling "fast startup." I'm not convinced that it is any faster anyway.

Control Panel\All Control Panel Items\Power Options\System Settings

Ajith Antony

Posted 2013-01-15T18:39:48.553

Reputation: 176

Looks like a well researched and convincing explaination. – Guy Thomas – 2013-01-16T08:38:11.790

1

I see the same thing on my Win 8 Pro machines. Although I fully shut down, when I turn the machine back on I see multiple sets of:

WinLogon.exe -SpecialSession
   LogonUI.exe /flags:0x0
   dwm.exe -hiberboot

The params for dwm convince me that I'm looking at a special hibernation-related feature, rather than logon attacks.

jeesty

Posted 2013-01-15T18:39:48.553

Reputation: 111

1

Ok, I asked this of Microsoft and this seems to be some special secret thing. They only confirm that it has something to do with the HybridBoot/fastStartup but don't give any details why this is so.

magicandre1981

Posted 2013-01-15T18:39:48.553

Reputation: 86 560

Asked: 2013-01-15T18:39:48.553

Viewed: 3 238 times

Active: 2014-01-22T21:41:22.827