Userinit Key

[Chanelle Glugla]

Hitorrey,

Could you clarify what you mean by "lock-up"? So far, we're only aware of an issue with userinit.exe being detected (albeit, not actually quarantined). Are you saying this is also resulting in the machine locking up/freezing?

Sorry, my bad. It looks like we may have two different issues that started around the same time. They both have an anti ransomware detection of Malware.Ransom.Agent.Generic but one is userinit.exe and the other is with explorer.exe. The explorer.exe causes the PC to lock up and seems to be linked to the Windows updates that we have been deploying.

We've had the lockup/freeze on 3 machines now. All screens go black with a message displayed from Malwarebytes that ransomware was detected and quarantined. The only way out is to force power the machine off then back on. Looking into the quarantine, we find the reference to userinit.exe. ODDLY ENOUGH, In all cases, this has happened when a user went to save and Excel spreadsheet. These spreadsheets were different in each case and the users were from different departments in our company. We are also using McAfee EPS version 10.6.1. Malwarebytes Anti-Malware 0.9.18.806-1.1.278.

It happens so infrequently and we are unable to reproduce at will. Out of 300-400 users, it has only happened 3 times (1 time for 3 different people) so uninstalling McAfee won't help us determine anything. If we could trigger it consistently that would be a helpful option to aid in troubleshooting.

Hard to say about timing. This has happened to my users at different times throughout the day. To my knowledge, they had been working for a while, well after a machine startup or OS login. They are also in Excel most of the day. Sorry. I know this is not very helpful info.

Incidentally, I went into MWB Management Console and edited our default policy adding this entry to the Ignore List tab and pushed that policy out to all clients. Don't know if this will prevent the false-positive temporarily until this is all figured out but so far we have not had any other occurrences. Below is what is in the quarantine tab on the client when the event occurs. I found I could not add this on the Anti-Ransomware tab as it only accepts File/Folder path, not registry entries. The Ignore List tab does accept registry entries however.

Just had another machine have this issue. I discovered something new for those out there with the same issue. Typically the person sees screen(s) go blank/black and can't do anything but power off the machine and restart. Just for kicks I used Dameware (remote control agent we use on our helpdesk) to attempt to control the client. As soon as I connected, my user's screen came back and she was able to use her machine again. I opened a few apps to make sure all was OK but got a strange error that Outlook 2016 shortcut was broken as if the program didn't exist. I went to the location where Office is installed only to find the Outlook.exe file size was 0k. Not sure what happened but I had to run an Office repair and reboot to get Outlook back in action. Hope a resolution comes soon.

Hi all,

Thank you for your patience.

We are still looking for additional information to narrow down a fix for this issue as reliably reproducing it has unfortunately proved elusive so far.

What would be helpful are full memory dumps of explorer.exe and winlogon.exe immediately after the detection occurs. This can be obtained as follows:

Hello,

We believe we have a potential fix for the issue, but do not currently have any information on when this will be available to your installed Malwarebytes product.

It will first make its way into the standalone Malwarebytes Anti-Ransomware beta. An announcement will be made in the following forum section when a new version of this is available.

We have released a new standalone Anti-Ransomware version, which can be found here. We believe this version will correct the issue at hand.

This new version of Anti-Ransomware will be made available to other Malwarebytes products in the future.

We have an early preview version of Malwarebytes Anti-Ransomware business that we'd love to get some additional feedback on. This version should address the issue reported in this topic.

If you're interested in trying this, please let me know and I will provide the details to you.

@LiquidTension We are a MalwareBytes Endpoint Protection customer still suffering from this issue. We have McAfee Endpoint - Removing McAfee stops the "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGONUSERINIT" registry key from being falsely detected as ransomware.

Hi @alexl010,

Thank you for your patience with this issue.

Yes, progress has been made. A fix for this is available to Malwarebytes Anti-Ransomware standalone, Malwarebytes version 4 and Malwarebytes Endpoint Security users. Unfortunately, we aren't yet able to release this fix to Malwarebytes Endpoint Protection and are currently in the process of working towards this. We intend on making this available as soon as possible.

Out of the blue with no changes I am aware of get message "Background Items Added "userinit.sh" is an item that can run in the background..." Disabled it in Login Items since it stated "Item from unidentified developer". Also noticed that init.sh also was from an unidentified developer. Is it safe to turn off init.sh also?

However, Avast should be uninstalled according to the developer's instructions. You can check to see if you've removed all of the supporting files by downloading and running the shareware app Find Any File to search for any files with the application's or the developer's name in the file name. For Avast software you'd do the following search(es):

MiniTool OEM program enable partners like hardware / software vendors and relative technical service providers to embed MiniTool software with their own products to add value to their products or services and expand their market.

When you open the System32 folder, you can find the userinit.exe. Then what is it and why does it store on your computer? If you want to find the answers, then you should read this post carefully. And if you want to know information about other executable files, then you should go to the MiniTool website.

First of all, what is userinit.exe? It is known as a Userinit Logon Application file, which is a software component of the Windows system. It is located in the C:\Windows\System32 folder or sometimes in a subfolder of C:\Windows.

Userinit.exe is the file responsible for executing the logon scripts, re-establishing the network connection, and then starting Explorer.exe. This program is very important for the stable and safe operation of the computer and should not be terminated.

If the Microsoft Windows operating system software is started on the PC, the commands contained in userinit.exe will be executed on the PC. For this purpose, the file is loaded into the main memory (RAM) and runs there as a Userinit Logon Application process.

I have the program set to start in screen center... but it does not want to display in the correct location until i do a alt-tab to bring it to the front, and then it will be displayed in the correct location.

using the userinit, and appending the executable to the end of the values line, does indeed start the application, but how do I force it to center on the screen when the screen has not been established yet?

The genuine userinit.exe file is a software component of Microsoft Windows Operating System by Microsoft Corporation.

"Userinit.exe" is an important software component of the Microsoft Windows operating system with a crucial role in the Windows login process. It should reside in "C:\Windows\System32" and should not be removed. It is often targeted or its name imitated by malware; the most suspicious location is one folder higher in "C:\Windows." Normally the path for "Userinit.exe" is in the registry key value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", and "Winlogon.exe" launches it; it will not launch if the key value is different. This occurs as one step in the complex Windows login sequence controlled by multiple registry keys, just before launching the Shell, (Explore.exe). "Userinit.exe" executes login scripts, which are batch files or custom-coded executables deployed by enterprise or institutional network administrators. Logon scripts are often located on domain controllers and are most often used to map drive letters to network resources, but not exclusively. Group Policies may be used instead.

The .exe extension on a filename indicates an executable file. Executable files may, in some cases, harm your computer. Therefore, please read below to decide for yourself whether the userinit.exe on your computer is a Trojan that you should remove, or whether it is a file belonging to the Windows operating system or to a trusted application.

Description: The original userinit.exe from Microsoft is an important part of Windows, but often causes problems. The userinit.exe file is located in the C:\Windows\System32 folder or sometimes in a subfolder of C:\Windows.Known file sizes on Windows 10/11/7 are 26,624 bytes (46% of all occurrences), 26,112 bytes and 10 more variants.

The program is not visible. The userinit.exe file is a Microsoft signed file. It is a Windows core system file.Therefore the technical security rating is 8% dangerous, however you should also read the user reviews.

Is userinit.exe a virus? No, it is not. The true userinit.exe file is a safe Microsoft Windows system process, called "Userinit Logon Application".However, writers of malware programs, such as viruses, worms, and Trojans deliberately give their processes the same file name to escape detection. Viruses with the same file name are such as Worm:Win32/VB.HA or Trojan:Win32/Vhorse.Q (detected by Microsoft), and W32.SillyFDC or W32.Versie.A (detected by Symantec).

To ensure that no rogue userinit.exe is running on your PC, click here to run a Free Malware Scan.

3a8082e126