Simple (relatively) things allowing you to dig a bit deeper than usual.

View on GitHub

The magic behind wlrmdr.exe

The tool is intended to display reminders from Winlogon (WinLogon ReMinDeRs). Such reminders may include scenarios like password expiration, additional credentials required etc. Two very special cases are related to the cloud passwords discussed below: one for the expiration, and one for change.


Parameters to the wlrmdr.exe include:

Order of parameters is important! Parameters -s, -f, -t, and -m must be present in the correct order, otherwise the command will silently fail.

Other parameters are totally ignored and do not affect the way how wlrmdr.exe works.

Wlrmdr.exe tries to identify its parent process, and when it is winlogon.exe, it changes the way how it works, but I was unable to follow this path any deeper so far. It’s also related to the “-1” specified as a value for the -s parameter.

Special cases

Special values for -a include:

Malicious scenarios

Practical usage scenarios may include the following steps:

  1. Invoking URL for binaries. The behavior will depend on the internet browser, but by default it will download the file to %userprofile%\Downloads assigning the random name and .crdownload extension.
  2. Invoking series of cmd.exe /c commands for identifying and renaming the downloaded binary to the desired name and extension.
  3. Executing the downloaded file.

The nature of ShellExecute() will make the default browser to download the file. Wlrmdr.exe process does not download anything on its own.

Notifications from wlrmdr.exe may be managed through built-in settings app:

General Settings:


Windows Logon Reminders Settings: