What is WinInit.exe?
So I was browsing Task Manager on my Vista box as Admin (Show all users processes) and I noticed wininit.exe. This file has that "virus ring" to it, so I decided to check it out. I'm positive my system hasn't been infected with anything, but there's never harm in checking. I did some searching and the first two results on Google are:
- PCHell - WinInit.exe == Bymer Trojan.
- liutilities - WinInit.exe == WOLLF.16 Virus
Interesting... I don't know how this got here, but let's kill it. Click on wininit.exe, click end process, blue screen. That's right... blue screen. Apparently wininit.exe is a crucial system file in Vista and shouldn't be killed by anyone, yet the administrator can kill it and easily blue screen the system. This probably shouldn't happen, and it's most likely something Microsoft should consider looking into... no user should be able to end task a single process and blue screen the system... not even the Administrator... I'd probably label this as a vulnerability, but I'm sure Microsoft sees it as a stability issue. This would be similar to lsass.exe on Windows XP with the nice pop-up that says, 'This is a critical system process... Task Manager cannot terminate this process' (or something similar).
So end result:
Running Vista:
WinInit.exe is a system critical process, even though some malware scanners identify it as a bad apple. This file should exist in C:\Windows\system32 (or more accurately - %windir%\system32)
Details (Windows Vista Home Premium) as of Today:
File Description: Windows Start-Up Application
File Version: 6.0.6000.16386
MD5: D4385B03E8CCCEE6F0EE249F827C1F3E
Pre-Vista Windows:
Trust your AntiMalware Software.
Anyone with other versions of Windows... see if your wininit.exe is the same (I'm assuming they all are, but if it's different... please post the version of Vista and the MD5 Hash... Thanks.
Actually yes… I think Microsoft should prevent the killing of processes that affect system stability, just as they did in Windows XP. I don't want something, even with admin access to have the ability to blue screen my system…
There's a difference between installing drivers and terminating a critical system process. A big difference. Which is why Microsoft protected certain executables prior to Vista… I want to know why that protection was removed.
Thanks for the info Bill…
It's very dangerous when a filename crosses between legit, malware, legit…
I'd love to know Microsoft's reasoning for having it run in Vista and allow for a system crash if you attempt to kill it, instead of denying the killing of it.
I have it in my Vista Home Premium. Here's the info about it:
File description: Windows Start-Up Application
File version: 6.0.6001.18000
Product version: 6.0.6000.16386
Size: 94.5 KB
I was kind of concerned thinking I have this running process as a virus or trojan after googling it. One thing to note is that wininit.exe in windows XP and below is at a greater risk of being considered as a bad stuff.
I believe this is a valid application made by Microsoft, and after reading your post about WinInit.exe, I have been feeling reassured that I have nothing to be worried about.
I have the problem that my internet traffic seems to be faulting and saying there is an error with Squid? i have never used squid? and PCCSI's comment about intercepting traffic has got me worried. is it possible i might have a man in the middle attack going on here, if so, whats the best way to test? ip chicken is giving me my correct wan address.
okay i know nothing about computers, but i deleted the wininit.exe (windowsME) and know my computer wont load on its own. I have to wait for the black and white screen to pop up saying all the system info then it says "unable to load, push any key to continue" so i hit a key, it loads, then says unable to find that file, i x out of it and all is good. Not a big deal, just terribly annoying….CAn anyone help???
Basically, it depends where the file is. If it is in the correct directory, then its safe. What virus programmers, have done recently however, is to name their virus wininit.exe, and put it somewhere else. This fools the virus scanner into thinking that it is a legitimate windows file.
My problem is when i try to shut my computer down. I get an end program warning and i have to hit the 'end program' button before my computer will continue shutting down. When i looked into the details it said it was this 'wininit.exe'. so i look for it under processes in my task manager and i have the ability to end the process, but a warning comes up. I don't know what to do about the stupid pop up when i try to shut down though. It is annoying when i hit shut down and turn my monitor off, i expect it to shut down, not just stop everything until i click a button. Oh, i have an XP if that is important. Help?
WinInit.exe is a carry over from a Win9x scheme that was used on startup. WinInit.exe runs and looks for a file called WinInit.INI. If its found, it processes the commands found in this file.
The type of command is pretty limited to
NUL= path or
REN= pathname1, pathname2 which are used to either delete or renamed files on boot up.
The purpose of this scheme was to allow setup programs and uninstallers do their housekeeping.
For instance, if you wanted to replace a system file that was in use, you could put a rename command in WinInit.ini to replace the file before it was loaded by Windows on your reboot. It also allows uninstaller to remove themselves after they're done.
Once WinInit.exe processes the file, it renames WinInit.INI to WinInit.BAK so anyone with a Win9x system and check their last WinInit process.
WinPatrol actually alerts Win9x users to the creation of a WinInit.INI file.
Newer versions of Windows now use a key in the registry.
"…ControlSession ManagerPendingFileRenameOperations"
Bill
Hi,
Wow… so you want Windows to PREVENT you from killing a process if it is going to cause stability issues? Are you retarded? That's exactly what's wrong with Windows in the FIRST place – lack of granular control.
Stop encouraging Microsoft from thinking they know better than the sys-admin you douchebag.
You can basically see the MOI here:
http://support.microsoft.com/kb/140570
What I want to know is – why a legit wininit.exe is maintaining a listening TCP connection, as verified by TCPView?
Bill P?
does that mean you don't want a sys admin to be able to.. oh.. i don't know… install drivers?
A sys admin is always going to have the ability to crash a system. it's why companies [try to] hire competent sysadmins.
Not sure whether you want Windows Server 2008 too, but this also has wininit.exe
Windows Server 2008 64bit (RTM – x64)
wininit.exe 101ba3ea053480bb5d957ef37c06b5ed
(I havn't got a 32bit install of WS2008, sorry)
I believe an administrator should be able to kill such a service should they want to.
However, perhaps a warning should popup bringing the potential outcome of the action to the administrators attention. Someone mentioned it being in Windows Server 2008 for example. Server OSs in particular should not place anyone, even an administrator in such a situation without a warning. Such crashs can be damaging to a business, and an admins employment status.