So I'm listening to music with Windows Media Player, going insane because the music randomly stops playback every so often. I finally notice that it correlates with instances of csrss, winlogon, and logonui repeatedly starting and quitting.
I finally tracked that down to IIS repeatedly logging on and off due to WebDAV requests going through my user account (my laptop syncing up with OneNote over WebDAV). I see tons of spam in my security event log for the logins.
I am surprised that IIS needs to log in this much. This has only been happening for a couple of months. I'm not sure where the actual problem lies - with IIS, or Media Player, or what, so I figured I'd try and find out if the IIS login behavior is actually abnormal.
Is it normal for IIS to log in this much? And is it normal for that to keep spawning winlogon, csrss, and logonui every second or so? I see a constant stream of logon events in the event log every few seconds presumably while OneNote is syncing. Logon (id = 1, source = laptop), Special Logon (id = 1, sets up privileges), Special Logon (id = 1, seems to set up the same privileges), Logon (id = 2, same laptop), Logoff (id = 2), Logoff (id = 1)
The DefaultAppPool (only one apparently in use) has its idle timeout set to 20 minutes, and load user profile set to false. Not sure what other settings (if any) might be relevant.
You've described what I'd call an unusual setup to begin with. And asking "this much" is not useful because you've provided no frequency information, or information about how many requests are coming in. So I'm going to need to go psychic on this one; please bear with me.
First question: Why not just sync OneNote over SMB? (i.e. regular Windows sharing). (Actually, if you want to go really sideways, I find SkyDrive is a really, really good solution for OneNote sync with the latest OneNote update, plus you get a web-based editable copy of the notebook, plus OneNote syncs with it on basically any device (IOS, WP7, etc))
Next question: App pools stop if they're idle for 20 minutes by default. Try turning that off, and you might find that your app pools don't keep having to restart desktop instances, which would reduce the pausing to one per attempt.
Final bit: I'd say no to the second part (Winlogon and Logonui? really? a new desktop session for a web user?), but I'm honestly not sure - it's possible this is due to the choice of user account being used to host the website, or that Load User Profile is enabled in the App Pool properties.
You might be able to mitigate it by toggling that setting (or turning off Idle timeouts on the App Pool, which would leave it running indefinitely*), or using a different user account, or not using WebDAV.
-* for 29 hours at default settings, when a recycle is forced for an app pool
Actually it appears it was brute-force attempts against remote desktop, e.g. Too Many winlogon.exe LogonUI.exe csrss.exe open on server?. I relocated my RDP port and it stopped.