So you notice cpu spikes on the process winlogon.exe and rarely on csrss.exe, and maybe you also see high memory consumption on a svchost process that is registered to the SYSTEM. If you have RDP(remote desktop connection protocol) ON is likely that you receive a lot of incoming brute-force connections on your RDP station. You can check that in windows events. In that case you have 2 simple solutions, first solution is to install a program that monitors and bans repeated attempts of login for RDP and you can try RdpGuard(but is not free) or free alternatives like IP Ban ( ) available on github and EvlWatcher( ), but you can choose even a simpler solution. The second and the simplest method that works almost everytime is to change de default port that is assigned to the number 3389 and you can change that port by modifying the registry key PortNumber located at : [code souce="plain"] [ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp ] [/code] using this method is likely that you wont receive any traffic and i think that is better then blocking the traffic received. The only disadvantage is that you must specify the port when connecting by inserting ":Portnumber" after your IP or DNS in the connection input. Again there are other solution as well like if you your station is behind a firewall maybe a router or server with iptables or other kind of net filter but most of the brute-force attacks are made on the default port so other solution should be applied only if the problem continues after changing the default port.