Know the Processes Running on Your System!

Article Written by Oren Chapo, 16-Nov-2002

When troubleshooting "strange" phenomena I'm not familiar with, one of the first things I usually do is looking at running tasks. But... what exactly is "MDM.EXE"? Should it be there? Is it a virus? A spy-ware? A system component? Or maybe it's my modem driver? Hey, and what about "SVCHOST.EXE"? It appears about 4 times and takes LOADS of memory...

Well, things sure would be simpler if you only knew... This article will try to make you familiar with processes running on your Windows O/S, or at least to give you some ideas ;-)

• Links to Windows Processes & Services Lists
• Using Command-Line Tools to List Processes
• How to Stop Auto-Running Processes
• Bibliography

Links to Windows Processes & Services Lists

Well, I could put here a list of well-known and less-known processes, with detailed information about each, but... other people have already done that for you :-)

• Task List Programs (Very Comprehensive):
  http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
• Black Viper's Windows 2000 Services Configuration 411:
  http://www.blkviper.com/WIN2K/servicecfg.htm
• Startup Programs: http://www.geocities.com/greyknight17/startup.htm

Using Command-Line Tools to List Processes

If you have installed the Support Tools from the Windows 2000 CD-ROM (recommended!), you may find the TLIST.EXE tool very useful. Its general purpose is to displays a list of application(s) and associated task(s)/process(es) currently running a system. This tool should be run from a command (cmd) prompt. The best way to use this tool is by issuing the command TLIST -s. The -s argument tells the command to show services active in each process. Example #1 shows a sample output:

X:\> tlist -s

   0 System Process
   8 System
 176 SMSS.EXE
 204 CSRSS.EXE
 228 WINLOGON.EXE
 256 SERVICES.EXE    Svcs:  Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,
lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,
seclogon,TrkSvr,TrkWks,W32Time,Wmi
 268 LSASS.EXE       Svcs:  kdc,Netlogon,NtLmSsp,PolicyAgent,SamSs
 384 termsrv.exe     Svcs:  TermService
 520 svchost.exe     Svcs:  RpcSs
 824 msdtc.exe       Svcs:  MSDTC
 932 cisvc.exe       Svcs:  cisvc
 948 dfssvc.exe      Svcs:  Dfs
 960 tcpsvcs.exe     Svcs:  DHCPServer,LPDSVC
 992 ismserv.exe     Svcs:  IsmServ
1012 LLSSRV.EXE      Svcs:  LicenseService
1060 vmimb.exe       Svcs:  MSPOP3Connector
1136 sqlservr.exe    Svcs:  MSSQLSERVER
1168 msmdsrv.exe     Svcs:  MSSQLServerOLAPService
1204 ntfrs.exe       Svcs:  NtFrs
1288 regsvc.exe      Svcs:  RemoteRegistry
1300 LOCATOR.EXE     Svcs:  RpcLocator
1308 mstask.exe      Svcs:  Schedule
1356 SNMP.EXE        Svcs:  SNMP
1392 svchost.exe     Svcs:  TapiSrv
1456 tlntsvr.exe     Svcs:  TlntSvr
1592 Upssrv.exe      Svcs:  UPSMON_Service
1632 WinMgmt.exe     Svcs:  WinMgmt
1660 MsPMSPSv.exe    Svcs:  WMDM PMSP Service
1672 svchost.exe     Svcs:  wuauserv
1688 DNS.EXE         Svcs:  DNS
1700 inetinfo.exe    Svcs:  IISADMIN,IMAP4Svc,MSFTPSVC,NntpSvc,POP3Svc,RESvc,
SMTPSVC,W3SVC
1748 Upsmon.exe
1764 EXMGMT.EXE      Svcs:  MSExchangeMGMT
1828 UPSData.exe
1900 MAD.EXE         Svcs:  MSExchangeSA
1980 mssearch.exe    Svcs:  MSSEARCH
2472 STORE.EXE       Svcs:  MSExchangeIS
2736 EMSMTA.EXE      Svcs:  MSExchangeMTA
3704 cidaemon.exe
1604 cidaemon.exe
3636 cidaemon.exe
2124 DLLHOST.EXE
2216 DLLHOST.EXE
 784 CSRSS.EXE       Title: 
 588 WINLOGON.EXE    Title: NetDDE Agent
3360 rdpclip.exe     Title: CB Monitor Window
3828 explorer.exe    Title: Program Manager
3892 internat.exe    Title: 
2464 svchost.exe     Svcs:  BITS
2976 spoolsv.exe     Svcs:  Spooler
1752 FXSSVC.exe      Svcs:  SharedFax
3980 svchost.exe     Svcs:  EventSystem,Netman,NtmsSvc,RasMan
3600 explorer.exe
3932 internat.exe
3540 winamp.exe
2836 CMD.EXE         Title: C:\WINNT\System32\cmd.exe
4096 tlist.exe
4180 clip.exe

If you're running Windows XP, you'll find an even better built-in tool: TASKLIST.EXE. This tool comes with a default installation of Windows XP (no need to install Support Tools). The best way to use this tool is by issuing the command TASKLIST /svc (again, this argument tells the command to displays services in each process). Example #2 shows a sample output:

X:\> tasklist /svc

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     620 N/A
csrss.exe                    692 N/A
winlogon.exe                 716 N/A
services.exe                 760 Eventlog, PlugPlay
lsass.exe                    772 Netlogon, PolicyAgent, ProtectedStorage,
                                 SamSs
svchost.exe                  952 RpcSs
svchost.exe                 1052 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
                                 dmserver, ERSvc, EventSystem, helpsvc,
                                 lanmanserver, lanmanworkstation, Messenger,
                                 Netman, Nla, RasMan, Schedule, seclogon,
                                 SENS, ShellHWDetection, srservice, TapiSrv,
                                 TermService, Themes, TrkWks, uploadmgr,
                                 W32Time, winmgmt, WmdmPmSp, wuauserv, WZCSVC
svchost.exe                 1184 Dnscache
svchost.exe                 1200 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe                 1404 Spooler
mdm.exe                     1580 MDM
nvsvc32.exe                 1628 NVSvc
snmp.exe                    1684 SNMP
svchost.exe                 1708 stisvc
MsPMSPSv.exe                1756 WMDM PMSP Service
fxssvc.exe                  1892 Fax
explorer.exe                1120 N/A
point32.exe                 1348 N/A
ctfmon.exe                  1480 N/A
msmsgs.exe                   884 N/A
HOTSYNC.EXE                 1520 N/A
notepad.exe                  684 N/A
iexplore.exe                2160 N/A
cmd.exe                     3252 N/A
tasklist.exe                2196 N/A
clip.exe                    3996 N/A
wmiprvse.exe                 268 N/A

How to Stop Auto-Running Processes

A common problem with unwanted processes is that they keep coming back, again and again... Most common with worm-type viruses (by design ;-). Basically, Windows O/S's provide 4 methods for auto-running of processes:

1. Run as a service.
2. Use the task scheduler.
3. Use startup files.
4. Use the system registry.

Note that the above list can be extended by installing third-party software, such as task schedulers, "agents" or other piece of software that can "trigger" another process.

We will now learn how to stop auto-running of processes for each of the above mentioned methods.

Stopping Services

Stopping services is easy. Just use one of the following:

• NT 4.0: Run the Services applet from the control panel. Select the service you want to stop and click "Stop".
• Windows 2000/XP: Run services.msc (from Start, Run... or command prompt). Select the service which you want to stop, right click it and click "Stop".
  
  Tip: by right-clicking the service and selecting "Properties", more details can be found about the service. One important detail is the path to executable. In some cases, this detail can give you an idea about the source of this service. From the following example, we can learn (by the path) that this service is related to Norton AntiVirus (and also, learn that rtvscan.exe showed in the task manager is actually this process :-)
  
• Alternative (NT-based systems): use the command net stop ServiceName from a command prompt.
• Windows 95/98/98SE/Me: Services do not exist on those O/S's, so you won't have to stop them :-)

Stopping Scheduled Tasks

• Control Panel --> Scheduled Tasks. Check the list for "suspicious" tasks.
• Windows NT-based systems (includes 2000, XP): issue the at command (with no parameters) at a command prompt.

Startup Files

Check the following files (on DOS-based Operating Systems, such as: 95/98/Me):

• AUTOEXEC.BAT
• CONFIG.SYS
• WINSTART.BAT
• WIN.INI
• SYSTEM.INI

The above are plain ASCII text files, which can be edited with any text editor (like notepad under Windows, or edit under DOS).

Editing The Registry

Many Programmers use the registry to start a process each time the system starts, or each time a user logs-on. You will have to examine each of the following registry keys for "suspicious" programs:

General registry notes:

• The data value for a value is a command line.
• By default, Run keys are ignored in Safe mode.
• If more than one program is registered under any particular key, the order in which those programs are run is indeterminate.

Key-specific notes:

1. Run each time a new user logs in.
2. For Windows 98, 98 SE, Me, NT 4.0 sp3+, 2000 and XP, an additional rule is available: the value name can be prefixed with an asterisk (*) to force the program to run even in Safe mode. Another thing: the value name can be prefixed with an exclamation point (!) to defer deletion of the value until after the command has been completed.
3. Run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon. These keys are for background services such as remote registry service and are run only once per boot.
4. Run as part of Setup's first-boot activities, or after you use the Add/Remove Programs Wizard. Used only by Setup. This key displays the progress dialog box as the keys are run one at a time. The name of the value is the name that is displayed in the dialog box.
5. Not certified by Microsoft - just a key I had bad eXPerience with ;-)

Bibliography

• Microsoft knowledge base article Q137367
• Microsoft knowledge base article Q314866