wermgr.exe or winlogon.exe a virus?

On a Toshiba Win7 laptop. Suddenly slowed down and now almost paralysed by constant activity. Timer wheel spins at the cursor for a split second but every couple of seconds. Doesn’t go to sleep but will shut down. Did a system restore which initially sorted it but the problem has come back.

Looking at the Task Manager there are loads of .exe files but the wermgr and winlogon seem to be active all the time using between 500k and 3500k every few seconds. Google suggests that these can actually be viruses with the appearance of legit files

Scanned with AVG free and Malwarebytes but nothing. Tried a program called Security Task Manager but also no help.

Any suggestions?

So it’s Windows Error reporting Service which is something that personally I would disable, and the Windows Logon application which you should keep running.

Although this won’t solve the problem this cports app is really handy for seeing all the IP addresses that your machine is connecting to. You don’t need to install. Just extract the folder to your desktop and run from within the extracted folder.

https://www.nirsoft.net/utils/cports.html

If your winlogon.exe and wermgr.exe are connecting to nefarious IP addresses the cports app will show this. Google the IP address and it’s likely it’ll be connecting to a Microsoft address. I see no reason why Winlogon.exe should be connecting to any external IP address.

It’s initially alarming as Windows connects to a lot of IP addresses since, by default, there’s a lot of background services running. They’re usually running within the svchost.exe file so cannot be pinpointed so easily.

I disabled most of my services within the Task scheduler so now when looking at cports the only connections I see are from the apps I’d expect to see such as my browser and email clients.

I disabled most of my services within the Task scheduler

I really wouldn’t be recommending this as a course of action unless someone knows exactly what they’re disabling, unless you have a burning desire for an expensive paperweight.

First thing I’d do is right-click both of those services in Task Manager and select “open file location.” They should open Windows\System32 in both cases, if they open anywhere outside of the Windows directory then they’re highly likely to be malware.

With the limited amount of data in the OP, the slowdowns could be literally anything. Could be related to those tasks, could be the hard disk is dying, could be something else entirely.

Personally, I’d be tempted to back up your data (which you do already, right?) and flatten it with a Windows 10 install rather than cock about listening to random ideas from strangers on the Internet. Better yet, swap the HDD for an SSD and do a W10 install to that; it’ll be huge performance boost and you’ve still got the old system as a fall-back if it goes wrong.

Thanks Cougar.

I tried to find the location of those things before but it didn’t have the energy to show me. Having looked at it again the winlogon is ok it’s the wermgr that’s flicking up and down with usage which coincides with the spinning wheel and flashing screen (ok, it’s a kind of flicker round the dialogue box but it all happens at the same time). The feeling I have is that it’s occupied doing something which is what’s slowed it and which is why I was looking in the task manager in the first place to see what was going on. Can I disable wermgr?

Slow reply here because I’ve been at work and I’ll not be back for another hour but thanks for the input so far.

Bit more info.

Looking at the task manager pane the wermgr is at the bottom and the amount of memory it uses varies constantly.
The winlogon comes and goes but its memory use is the same.
There is another wermgr that keeps appearing and disappearing, also largely varying amounts of memory. Sometimes both wermgr disappear.

I went to the services screen and found that the wermgr was already set to manual startup.

If you turn off the wifi (even the router in your house, you don’t need to operate the laptop) it will stop any malware from doing whatever internet based stuff it was doing. But if it doesn’t stop, doesn’t mean it wasn’t malware.

The error reporting service would be using loads of resources if there were loads of errors being caused by something else…

If you can get to the resource monitor (link to it from the resources page of task manager) then there’s a tab showing you disk usage, and it shows which files are being written to. This could give a clue as to what’s going on.

Wifi disconnected.

Top of the list for disc activity: services.exe (325,000 b/s); System (150,000 b/s); then an avg thing or WerFault

trouble with services.exe is that it covers dozens of possible tasks so unless you drill down it’s not that useful as a measure of what’s casuign activity.

1) what happens if you terminate the process?

2) do you want me to look at it remotely? We’ll be here for days otherwise.

Ha! Which process? The wermgr?

It’s exactly like what’s described here https://www.tenforums.com/performance-maintenance/102576-services-exe-running-all-time-high-cpu-cursor-flickering-stop.html

2) maybe yes but I’d have to swear you to secrecy ;-)

I think I had this – or something similar – before.

In the end it was down to Windows Update checking over and over endlessly for updates – it got caught in a loop.

Try updating your system manually by clicking ‘check for updates’ in Windows update. It might take a while but just let it search and see if it says there is anything to update.

Can’t stop it. Doesn’t return an error.

plyphon you might be on to something there but it says ‘Windows Update cannot currently check for updates because the service is not running. You may need to restart your computer’

Yes, the wifi is back on….

‘Windows Update cannot currently check for updates because the service is not running. You may need to restart your computer’

Services again – what’s the status of the Background Intelligent Transfer Service and Windows Update services?

2) maybe yes but I’d have to swear you to secrecy 😉

Soul of discretion, me.

Moreover, you’d have full visibility of what I’d be doing. I wouldn’t be able to, erm, take an offline backup of your grot collection without you noticing.

‘Windows Update cannot currently check for updates because the service is not running. You may need to restart your computer’

My old Win7 machine did something similar, I researched it a bit and it was to do with a combination of an iffy machine and an iffy win7 update casuing it to get all confused and thrash itself in oblivion.

(Un)Fortunately the whole machine lunched itself before I could get properly to the bottom of it (it was something of a rabbit hole), and my new machine is win 10, which has a “so the auto-updates got confused, fix them” button in it…

Both started automatically

Hmm.

Try grabbing the Fixit from here:
https://support.microsoft.com/en-gb/help/4027322/windows-update-troubleshooter

Yes I think this might be the same issue then, or closely related.

Try googling the phrase ‘Windows Update cannot currently check for updates because the service is not running’ and see what that turns up.

This poster here seemed to find a solution:
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/solution-to-windows-update-cannot-currently-check/a61e2514-087d-4cb4-893b-20608d79524c

So we changed the settings on all the PC’s to ‘Never check for updates ( not recommended)’ and then rebooted & then tried to check for updates and we could in all instances. We then changed the settings back to our preference of either ‘Install updates automatically ( recommended)’ or ‘Download updates but let me choose when to install them’ and all is well again.

Still won’t update but I’ve done another system restore further back and it’s ok at the moment. Been here before though.

I’m coming round to Cougar’s idea of Win 10 on it. What’s the cheapest way of doing that?

Keys of questionable legality* can be had for not much money from places such as amazon.

*I have used them with no issue in the past, and MS haven’t sued me yet. They are usually bulk purchased OEM keys being resold, which is against MS’s terms, so a key you got may stop working at some point, if MS kill that OEM license. The key stopping working won’t (currently) kill win 10, it’ll just disable some features and put a “not licensed” watermark on the screen, so you can then sort out another key.

You don’t need to do any of that nonsense.

You can download the image for free from Microsoft (google “windows 10 media creation tool”), create a USB installer, then feed it your Windows 7 OEM key when it asks for a key.

Ahhhh, yes my Win7 was a free upgrade from Vista, so Win10 noped it.

… and as I said, if you don’t already have one I’d very highly recommend that you take this as an opportunity to stick an SSD in it. They used to be stupidly expensive but a 120GB drive is like 20 quid these days, it’s a no-brainer.

https://www.scan.co.uk/products/250gb-samsung-860-evo-25-ssd-sata-iii-6gb-s-mjx-3d-mlc-v-nand-512mb-cache-read-550mb-s-write-520mb-s

250GB Samsung Evo (best drives out there IMHO) for £50. Bargain. A 500GB version of the same is £85.

Well chaps you’re all marvellous as usual. Currently following Plyphon’s suggestion and it is now checking for updates so I’m quietly hopeful. What a way to spend the afternoon.

Right, got to get the pizza on but thanks for all the help.

my Win7 was a free upgrade from Vista, so Win10 noped it.

Did you not get a W7 key given? I did the same at the time, I could’ve sworn you got a new one (though it was a while ago now…)

Actually, thinking about it, wasn’t it a cheap upgrade offer (like £30 or something) rather than free?

The early editions of W10 required you to either have a W10 key or do an over-the-top upgrade so that it could verify a qualifying product. I guess that could have nixed it. That’s not the case these days, you can do a clean install and just feed it a valid W7 or W8.1 OEM key.

I wouldn’t be able to, erm, take an offline backup of your grot collection without you noticing.

Bear in mind that that’s exactly the kind of thing someone who’s about to take an offline backup of your grot collection would say.

Curses, rumbled.

(-:

No, mine upgraded by putting the vista key in. It may well have been the cheap upgrade offer, but win 7 upgraded and reinsatlled when I went to SSD with no problems, Windows 10 didn’t like the vista key so I had to sort out a license, or get moaned at by win10.

Edit: Or I did get a Win7 Upgrade key, but again as it was an upgrade rather than a full key win10 didn’t like it, it was so long ago I can barely rememeber it beyond “oh well, that didn’t work, best I sort out a key”…

Fair enough. I too have slept since then…!

Yep all ok now. Many thanks all.

And thanks for the SSD tip – I’ve another lappy that I can feel being rejuvenated

HDD to SSD upgrade in a laptop is the best upgrade you’ll find.

I agree, HDD to SSD is currently the best bang for buck upgrade available

Update on this. As I said before the method suggested above seemed to sort it out and it did seem like it was stuck in some kind of update loop. It’s been fine until today when it reverted to being exactly the same as before.

I’ve made it find some updates (12 I think) and it’s installed them, etc but still the same.
Any other suggestions before I flatten it?