Jump to content
Kaspersky Support Forum

Unusual Disk Usage by Userinit Logon Application – Potential Security Concern

AnhTuan_Utracon

By AnhTuan_Utracon
in Kaspersky Security Center

 Share

Recommended Posts

AnhTuan_Utracon

AnhTuan_Utracon

Posted
Posted

Dear Kaspersky Support Team,

I am a licensed Kaspersky user, and I would like to ask for your assistance regarding a suspicious behavior observed on one of our company’s computers.

We noticed that the process Userinit Logon Application is continuously writing a large amount of data (approximately 20GB) to the *C:* drive, specifically under the folder C:\Users\Public\Graphics. What’s concerning is that the files appear to be downloaded from our internal company server.

Here are some details:

  • The files in the Graphics folder all show 0KB in size when viewed, but the overall folder size is significantly large (around 20GB).

  • The system does not have Synology Drive Client installed.

  • Offline Files feature in Windows is disabled.

  • The userinit.exe file has a valid Microsoft digital signature.

  • We have scanned the machine using Kaspersky, and no threats were detected.

  • Hidden files and system files are fully visible, and still, all individual files in the folder appear as 0KB despite the large folder size.

We are concerned whether this might indicate some form of malware activity or even a potential breach. Could you please advise on what might be causing this, and whether it could be a security risk?

Thank you for your support.

z6865955416283_569dee93b13874a3bc81ffc368c25d5d.jpg

Renan Corassa

Renan Corassa

Posted
Posted (edited)

Well, first things first.
You need to tell us which solution you're using in your environment.
Do you use management? If so, which one?
Which version is installed on servers and workstations?
Which hosts are experiencing your "problem"?

 

To be clear, the main role of userinit.exe or Userinit Logon Application is to initialize the user environment after login. It is crucial to the authentication process and desktop preparation.

It performs a combination of actions such as:
Restores the network connection (such as mapped drives).
Runs logon scripts defined by group policies.
Starts the user's default shell (typically explorer.exe, which displays the taskbar, desktop, etc.).
Ensures the login process continues correctly and displays the Windows graphical environment.

Edited by Renan Corassa

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...