Know the Processes Running on Your System!
Article Written by Oren Chapo,
When troubleshooting "strange" phenomena I'm not familiar with, one of the first things I usually do is looking at running tasks. But... what exactly is "MDM.EXE"? Should it be there? Is it a virus? A spy-ware? A system component? Or maybe it's my modem driver? Hey, and what about "SVCHOST.EXE"? It appears about 4 times and takes LOADS of memory...
Well, things sure would be simpler if you only knew... This article will try to make you familiar with processes running on your Windows O/S, or at least to give you some ideas ;-)In this article:
- Links to Windows Processes & Services Lists
- Using Command-Line Tools to List Processes
- How to Stop Auto-Running Processes
Links to Windows Processes & Services Lists
Well, I could put here a list of well-known and less-known processes, with detailed information about each, but... other people have already done that for you :-)
- Task List Programs (Very Comprehensive):
- Black Viper's Windows 2000 Services Configuration 411:
- Startup Programs: http://www.geocities.com/greyknight17/startup.htm
Using Command-Line Tools to List Processes
If you have installed the Support Tools from the Windows 2000 CD-ROM (recommended!), you may find the TLIST.EXE tool very useful. Its general purpose is to displays a list of application(s) and associated task(s)/process(es) currently running a system. This tool should be run from a command (cmd) prompt. The best way to use this tool is by issuing the command TLIST -s. The -s argument tells the command to show services active in each process. Example #1 shows a sample output:
X:\> tlist -s 0 System Process 8 System 176 SMSS.EXE 204 CSRSS.EXE 228 WINLOGON.EXE 256 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog, lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage, seclogon,TrkSvr,TrkWks,W32Time,Wmi 268 LSASS.EXE Svcs: kdc,Netlogon,NtLmSsp,PolicyAgent,SamSs 384 termsrv.exe Svcs: TermService 520 svchost.exe Svcs: RpcSs 824 msdtc.exe Svcs: MSDTC 932 cisvc.exe Svcs: cisvc 948 dfssvc.exe Svcs: Dfs 960 tcpsvcs.exe Svcs: DHCPServer,LPDSVC 992 ismserv.exe Svcs: IsmServ 1012 LLSSRV.EXE Svcs: LicenseService 1060 vmimb.exe Svcs: MSPOP3Connector 1136 sqlservr.exe Svcs: MSSQLSERVER 1168 msmdsrv.exe Svcs: MSSQLServerOLAPService 1204 ntfrs.exe Svcs: NtFrs 1288 regsvc.exe Svcs: RemoteRegistry 1300 LOCATOR.EXE Svcs: RpcLocator 1308 mstask.exe Svcs: Schedule 1356 SNMP.EXE Svcs: SNMP 1392 svchost.exe Svcs: TapiSrv 1456 tlntsvr.exe Svcs: TlntSvr 1592 Upssrv.exe Svcs: UPSMON_Service 1632 WinMgmt.exe Svcs: WinMgmt 1660 MsPMSPSv.exe Svcs: WMDM PMSP Service 1672 svchost.exe Svcs: wuauserv 1688 DNS.EXE Svcs: DNS 1700 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,MSFTPSVC,NntpSvc,POP3Svc,RESvc, SMTPSVC,W3SVC 1748 Upsmon.exe 1764 EXMGMT.EXE Svcs: MSExchangeMGMT 1828 UPSData.exe 1900 MAD.EXE Svcs: MSExchangeSA 1980 mssearch.exe Svcs: MSSEARCH 2472 STORE.EXE Svcs: MSExchangeIS 2736 EMSMTA.EXE Svcs: MSExchangeMTA 3704 cidaemon.exe 1604 cidaemon.exe 3636 cidaemon.exe 2124 DLLHOST.EXE 2216 DLLHOST.EXE 784 CSRSS.EXE Title: 588 WINLOGON.EXE Title: NetDDE Agent 3360 rdpclip.exe Title: CB Monitor Window 3828 explorer.exe Title: Program Manager 3892 internat.exe Title: 2464 svchost.exe Svcs: BITS 2976 spoolsv.exe Svcs: Spooler 1752 FXSSVC.exe Svcs: SharedFax 3980 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan 3600 explorer.exe 3932 internat.exe 3540 winamp.exe 2836 CMD.EXE Title: C:\WINNT\System32\cmd.exe 4096 tlist.exe 4180 clip.exe
If you're running Windows XP, you'll find an even better built-in tool: TASKLIST.EXE. This tool comes with a default installation of Windows XP (no need to install Support Tools). The best way to use this tool is by issuing the command TASKLIST /svc (again, this argument tells the command to displays services in each process). Example #2 shows a sample output:
X:\> tasklist /svc Image Name PID Services ========================= ====== ============================================= System Idle Process 0 N/A System 4 N/A smss.exe 620 N/A csrss.exe 692 N/A winlogon.exe 716 N/A services.exe 760 Eventlog, PlugPlay lsass.exe 772 Netlogon, PolicyAgent, ProtectedStorage, SamSs svchost.exe 952 RpcSs svchost.exe 1052 AudioSrv, BITS, Browser, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, helpsvc, lanmanserver, lanmanworkstation, Messenger, Netman, Nla, RasMan, Schedule, seclogon, SENS, ShellHWDetection, srservice, TapiSrv, TermService, Themes, TrkWks, uploadmgr, W32Time, winmgmt, WmdmPmSp, wuauserv, WZCSVC svchost.exe 1184 Dnscache svchost.exe 1200 LmHosts, RemoteRegistry, SSDPSRV, WebClient spoolsv.exe 1404 Spooler mdm.exe 1580 MDM nvsvc32.exe 1628 NVSvc snmp.exe 1684 SNMP svchost.exe 1708 stisvc MsPMSPSv.exe 1756 WMDM PMSP Service fxssvc.exe 1892 Fax explorer.exe 1120 N/A point32.exe 1348 N/A ctfmon.exe 1480 N/A msmsgs.exe 884 N/A HOTSYNC.EXE 1520 N/A notepad.exe 684 N/A iexplore.exe 2160 N/A cmd.exe 3252 N/A tasklist.exe 2196 N/A clip.exe 3996 N/A wmiprvse.exe 268 N/A
How to Stop Auto-Running Processes
A common problem with unwanted processes is that they keep coming back, again and again... Most common with worm-type viruses (by design ;-). Basically, Windows O/S's provide 4 methods for auto-running of processes:
- Run as a service.
- Use the task scheduler.
- Use startup files.
- Use the system registry.
Note that the above list can be extended by installing third-party software, such as task schedulers, "agents" or other piece of software that can "trigger" another process.
We will now learn how to stop auto-running of processes for each of the above mentioned methods.
Stopping services is easy. Just use one of the following:
- NT 4.0: Run the Services applet from the control panel. Select the service you want to stop and click "Stop".
- Windows 2000/XP: Run services.msc (from Start, Run... or command prompt). Select the service which you want to stop, right click it and click "Stop".
Tip: by right-clicking the service and selecting "Properties", more details can be found about the service. One important detail is the path to executable. In some cases, this detail can give you an idea about the source of this service. From the following example, we can learn (by the path) that this service is related to Norton AntiVirus (and also, learn that rtvscan.exe showed in the task manager is actually this process :-)
- Alternative (NT-based systems): use the command net stop ServiceName from a command prompt.
- Windows 95/98/98SE/Me: Services do not exist on those O/S's, so you won't have to stop them :-)
Stopping Scheduled Tasks
- Control Panel --> Scheduled Tasks. Check the list for "suspicious" tasks.
- Windows NT-based systems (includes 2000, XP): issue the at command (with no parameters) at a command prompt.
Check the following files (on DOS-based Operating Systems, such as: 95/98/Me):
The above are plain ASCII text files, which can be edited with any text editor (like notepad under Windows, or edit under DOS).
Editing The Registry
Many Programmers use the registry to start a process each time the system starts, or each time a user logs-on. You will have to examine each of the following registry keys for "suspicious" programs:
General registry notes:
- The data value for a value is a command line.
- By default, Run keys are ignored in Safe mode.
- If more than one program is registered under any particular key, the order in which those programs are run is indeterminate.
- Run each time a new user logs in.
- For Windows 98, 98 SE, Me, NT 4.0 sp3+, 2000 and XP, an additional rule is available: the value name can be prefixed with an asterisk (*) to force the program to run even in Safe mode. Another thing: the value name can be prefixed with an exclamation point (!) to defer deletion of the value until after the command has been completed.
- Run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon. These keys are for background services such as remote registry service and are run only once per boot.
- Run as part of Setup's first-boot activities, or after you use the Add/Remove Programs Wizard. Used only by Setup. This key displays the progress dialog box as the keys are run one at a time. The name of the value is the name that is displayed in the dialog box.
- Not certified by Microsoft - just a key I had bad eXPerience with ;-)