Home > IT > What is WinInit.exe?

What is WinInit.exe?

So I was browsing Task Manager on my Vista box as Admin (Show all users processes) and I noticed wininit.exe. This file has that "virus ring" to it, so I decided to check it out. I'm positive my system hasn't been infected with anything, but there's never harm in checking. I did some searching and the first two results on Google are:

Interesting... I don't know how this got here, but let's kill it. Click on wininit.exe, click end process, blue screen. That's right... blue screen. Apparently wininit.exe is a crucial system file in Vista and shouldn't be killed by anyone, yet the administrator can kill it and easily blue screen the system. This probably shouldn't happen, and it's most likely something Microsoft should consider looking into... no user should be able to end task a single process and blue screen the system... not even the Administrator... I'd probably label this as a vulnerability, but I'm sure Microsoft sees it as a stability issue. This would be similar to lsass.exe on Windows XP with the nice pop-up that says, 'This is a critical system process... Task Manager cannot terminate this process' (or something similar).

So end result:

Running Vista:
WinInit.exe is a system critical process, even though some malware scanners identify it as a bad apple. This file should exist in C:\Windows\system32 (or more accurately - %windir%\system32)

Details (Windows Vista Home Premium) as of Today:

File Description: Windows Start-Up Application
File Version: 6.0.6000.16386
MD5: D4385B03E8CCCEE6F0EE249F827C1F3E

Pre-Vista Windows:
Trust your AntiMalware Software.

Anyone with other versions of Windows... see if your wininit.exe is the same (I'm assuming they all are, but if it's different... please post the version of Vista and the MD5 Hash... Thanks.

Categories: IT Tags:
  1. January 19th, 2009 at 14:20 | #1

    Actually yes… I think Microsoft should prevent the killing of processes that affect system stability, just as they did in Windows XP. I don't want something, even with admin access to have the ability to blue screen my system…

  2. January 19th, 2009 at 14:20 | #2

    There's a difference between installing drivers and terminating a critical system process. A big difference. Which is why Microsoft protected certain executables prior to Vista… I want to know why that protection was removed.

  3. January 19th, 2009 at 14:20 | #3

    Thanks for the info Bill…
    It's very dangerous when a filename crosses between legit, malware, legit…

    I'd love to know Microsoft's reasoning for having it run in Vista and allow for a system crash if you attempt to kill it, instead of denying the killing of it.

  4. Austin
    January 19th, 2009 at 14:20 | #4

    I have it in my Vista Home Premium. Here's the info about it:

    File description: Windows Start-Up Application
    File version: 6.0.6001.18000
    Product version: 6.0.6000.16386
    Size: 94.5 KB

    I was kind of concerned thinking I have this running process as a virus or trojan after googling it. One thing to note is that wininit.exe in windows XP and below is at a greater risk of being considered as a bad stuff.

    I believe this is a valid application made by Microsoft, and after reading your post about WinInit.exe, I have been feeling reassured that I have nothing to be worried about.

  5. Toby Adams
    January 19th, 2009 at 14:20 | #5

    I have the problem that my internet traffic seems to be faulting and saying there is an error with Squid? i have never used squid? and PCCSI's comment about intercepting traffic has got me worried. is it possible i might have a man in the middle attack going on here, if so, whats the best way to test? ip chicken is giving me my correct wan address.

  6. 3boysmommy
    January 19th, 2009 at 14:20 | #6

    okay i know nothing about computers, but i deleted the wininit.exe (windowsME) and know my computer wont load on its own. I have to wait for the black and white screen to pop up saying all the system info then it says "unable to load, push any key to continue" so i hit a key, it loads, then says unable to find that file, i x out of it and all is good. Not a big deal, just terribly annoying….CAn anyone help???

  7. Gema
    January 19th, 2009 at 14:20 | #7

    Basically, it depends where the file is. If it is in the correct directory, then its safe. What virus programmers, have done recently however, is to name their virus wininit.exe, and put it somewhere else. This fools the virus scanner into thinking that it is a legitimate windows file.

  8. Kinez
    January 19th, 2009 at 14:20 | #8

    My problem is when i try to shut my computer down. I get an end program warning and i have to hit the 'end program' button before my computer will continue shutting down. When i looked into the details it said it was this 'wininit.exe'. so i look for it under processes in my task manager and i have the ability to end the process, but a warning comes up. I don't know what to do about the stupid pop up when i try to shut down though. It is annoying when i hit shut down and turn my monitor off, i expect it to shut down, not just stop everything until i click a button. Oh, i have an XP if that is important. Help?

  9. Bill Pytlovany
    January 20th, 2009 at 09:10 | #9

    WinInit.exe is a carry over from a Win9x scheme that was used on startup. WinInit.exe runs and looks for a file called WinInit.INI. If its found, it processes the commands found in this file.
    The type of command is pretty limited to
    NUL= path or
    REN= pathname1, pathname2 which are used to either delete or renamed files on boot up.

    The purpose of this scheme was to allow setup programs and uninstallers do their housekeeping.
    For instance, if you wanted to replace a system file that was in use, you could put a rename command in WinInit.ini to replace the file before it was loaded by Windows on your reboot. It also allows uninstaller to remove themselves after they're done.

    Once WinInit.exe processes the file, it renames WinInit.INI to WinInit.BAK so anyone with a Win9x system and check their last WinInit process.

    WinPatrol actually alerts Win9x users to the creation of a WinInit.INI file.

    Newer versions of Windows now use a key in the registry.
    "…ControlSession ManagerPendingFileRenameOperations"

    Bill

  10. JustSomeGuy
    January 20th, 2009 at 09:10 | #10

    Hi,

    Wow… so you want Windows to PREVENT you from killing a process if it is going to cause stability issues? Are you retarded? That's exactly what's wrong with Windows in the FIRST place – lack of granular control.

    Stop encouraging Microsoft from thinking they know better than the sys-admin you douchebag.

  11. PCCSI
    January 20th, 2009 at 09:10 | #11

    You can basically see the MOI here:
    http://support.microsoft.com/kb/140570

    What I want to know is – why a legit wininit.exe is maintaining a listening TCP connection, as verified by TCPView?

    Bill P?

  12. JustSomeGuy
    January 20th, 2009 at 09:10 | #12

    does that mean you don't want a sys admin to be able to.. oh.. i don't know… install drivers?

    A sys admin is always going to have the ability to crash a system. it's why companies [try to] hire competent sysadmins.

  13. Will Hughes
    January 20th, 2009 at 09:10 | #13

    Not sure whether you want Windows Server 2008 too, but this also has wininit.exe

    Windows Server 2008 64bit (RTM – x64)
    wininit.exe 101ba3ea053480bb5d957ef37c06b5ed

    (I havn't got a 32bit install of WS2008, sorry)

  14. Greg
    November 27th, 2009 at 18:36 | #14

    I believe an administrator should be able to kill such a service should they want to.
    However, perhaps a warning should popup bringing the potential outcome of the action to the administrators attention. Someone mentioned it being in Windows Server 2008 for example. Server OSs in particular should not place anyone, even an administrator in such a situation without a warning. Such crashs can be damaging to a business, and an admins employment status.

  15. Guest
    May 18th, 2010 at 20:12 | #15

    @Greg
    +1

    nothing pisses me off more than that annoying box telling me a process cannot be terminated.
    ProcExp fixed a lot of that crap, but a many still exist. Meanwhile, access denied error boxes keep allowing this crap to bloat my system when i wanna get every possible fps. yaaaaaayyy

  16. Think Deeper
    December 24th, 2010 at 23:46 | #16

    Oh shortsighted ones — Any process that even the
    administrator cannot kill makes for the perfect file for a virus to
    infect or replace. Successful infection/replacement would make the
    virus invulnerable to anti-virus trying to stop and delete it. What
    you are actually working your way towards but have not yet
    “discovered” is…there is a damn good reason
    that even Microsoft strongly recommends that you do NOT run Windows
    under administrator account privileges. But Windows yields to
    “the customer is always right” complaints that a
    default account that is not administrator inconveniences customers
    by requiring extra clicks and knowing a password to install
    software. Yes as a group Windows customers demand convenience over
    security. And your half-thought out suggestion to make all system
    processes invulnerable while the OS is running is just another
    “make things more convenient regardless of overall
    security implications”. However in this case some of you
    do circle around a good idea without making it your main point.
    WININIT.EXE should not have been important enough to crash the OS.
    Heck it probably should not even be running unless an special
    install or uninstall has requested its services. That is MS needs
    to comb through system processes that should not be critical and
    make sure ending those processes is unlikely to crash or result in
    severe system impact. Even some of the truly important but
    abortable processes should be examined to see if warnings or
    further system action to produce a graceful emergency shutdown can
    be created. Why are some process immune to termination? Much of
    that is because there is no way to continue without immediate crash
    or bluescreen — and not just as a domino side effect. These are
    the most basic sections of what runs your programs and presents a
    user interface. If you could stop these processes your OS could not
    do anything useful. So the immunity is not intended to protect the
    less technical user from aborting the wrong processes,

  1. No trackbacks yet.