traffic and winlogon.exe

Discussion in 'other firewalls' started by sir_carew, Dec 19, 2003.

Thread Status:
Not open for further replies.
  1. sir_carew
    Offline

    sir_carew Registered Member

    Hi.
    I'm using Za Pro 4.5 w/web filtering.
    I'm also using Windows XP Home and all the time, za pro block the acces (because I block it) to a aplicattion named winlogon.exe. winlogon try to connect to Internet every 1 hour aprox and also ask me for server rights, I block all type of Internet connections to this file. It's a windows xp file, but why it ask me for internet acces?
    Thanks.
  2. LowWaterMark
    Offline

    LowWaterMark Administrator

    Can you show us the details on this? First, exactly what is the alert (all details - address it tries to access, port number, etc.) and second what are the exact details on the file (it's location, properties, etc.) There could be multiple winlogon.exe files, a good one from Windows and possible bad ones from malware. We need to be sure first that it's the valid one and then try to determine what it is doing.

    On my XP Home system with ZAP, winlogon.exe does not ask for access to the network itself. (Mine is set to all "?" in the program tab and I never hear anything from it.)
  3. sir_carew
    Offline

    sir_carew Registered Member

    It's the info from ZA:
    Direction: Outgoing (connect)
    Type: Porgram access
    Rating: Medium
    Action taken: Blocked
    Destination IP: 200.27.66.77:67
    Count:1 (But I've the same alert many times)
    Program: Aplicación de inicio de seión de Windows NT (I've windows in spanish)
    The location: C:\WINDOWS\system32\winlogon.exe

    It's the propiertie of the file:
    Languaje: Español (alfabetización internacional)
    Name of the product: Sistema operativo Microsoft®
    Windows®
    Intern name: winlogon
    original name: WINLOGON.EXE
    Organization: Microsoft Corporation
    Version of the file: 5.1.2600.1106 (xpsp1.020828-1920)
    Version of the product: 5.1.2600.1106
    The size of the file is: 520.192 bytes

    PS: I format many times mi computer, however the file is all the time the same, if you want, I can send you the file.

    Thanks.
  4. CrazyM
    Offline

    CrazyM Firewall Expert

    Do the log entries indicate the protocol?
    Do you know if that particular IP is one of your ISP's DHCP servers?

    Regards,

    CrazyM
  5. sir_carew
    Offline

    sir_carew Registered Member

    Hi,
    Not, ZA don't indicate the protocol, the field appear blank.
    This IP is from my ISP, but the only that I know is that isn't my 3 DNS servers.
    Thanks.
  6. LowWaterMark
    Offline

    LowWaterMark Administrator

    Can you bring up a CMD window (like you did from this thread), and enter the command "ipconfig/all" again? This time look for the line that shows your "DHCP Server..." and see if it matches that IP address?
  7. Dan Perez
    Offline

    Dan Perez Retired Moderator

    Not sure if I am missing the point but doesn't :67 indicate it is BOOTPS/DHCP?

    [late edit - Lol, I got sidetracked and LWM beat me to it again!]
  8. LowWaterMark
    Offline

    LowWaterMark Administrator

    Actually CrazyM beat us both. ;)

    I've actually been looking at this for quite a while... The thing that had me hung up was that I wasn't aware, and still can't confirm winlogon.exe's role in DHCP. (I don't use DHCP here given my connection type, so I am unsure about which Windows program actually attempts to get the DHCP renewal from the DHCP server. I haven't found anything that says winlogon.exe does it. :doubt: )

    Note that all the file attributes listed above do match my copy of winlogon.exe on XP Home, so I kinda doubt we're talking malware here.
  9. Dan Perez
    Offline

    Dan Perez Retired Moderator

    :eek: You are so right. I misread his post to be inquiring after DNS servers and not DHCP. My apologies...

    And it is curious about winlogon doing anything with DHCP. I thought that was handled by one of the services.exe processes but maybe it is different on non-2k systems?
  10. sir_carew
    Offline

    sir_carew Registered Member

    Hi,
    Yes, the IP listed above is the IP of my DHCP server.
    What's it?, I block it from access to the Internet, and my connection work OK.
    I connect via a cable modem without router, etc.
    Thanks.
  11. CrazyM
    Offline

    CrazyM Firewall Expert

    You can add that to the trusted IP's as you did your ISP's DNS servers.

    Does your ZA have any specific settings that refer to Bootp/DHCP (UDP ports 67/6:cool:?
    The traffic being blocked would appear to be associated with this. Bootp/DHCP traffic is used to obtain your IP from your DHCP server.

    Regards,

    CrazyM
  12. sir_carew
    Offline

    sir_carew Registered Member

    Hi,
    No, I don't have any rule or setting referred to the DCHP servers.
    Other question: Why all the time, I'm receiving differents alert from PC that are in my ISP?, the protocol are the same: UDP and TCP.
    Thanks.
  13. LowWaterMark
    Offline

    LowWaterMark Administrator

    You are going to need to give us more details on this.

    The bulk of alerts in any firewall are going to be TCP or UDP... That's the majority of all packets that are out on any network. So, what specific alerts are you talking about?
Thread Status:
Not open for further replies.