Home
Portal
Register
Log inINFORMATION ON SYSTEM PROCESSES PART 3
Page 1 of 1
INFORMATION ON SYSTEM PROCESSES PART 3
Admin Tue Jun 09, 2009 5:28 pm
Here are the most common system processes as I have told in part 2 of this article.
*SVCHOST.EXE
-What is svchost.exe?
The file svchost.exe is the Generic Host Process for Win32 Services used for administering 16-bit-based dynamically linked library files (DLL files) including other supplementary support applications.
As operating systems became more complex Microsoft decided to run more software functionality from a dynamic link library (DLL) interface. However DLLs are unable to launch themselves and require at least one executable program, i.e. svchost.exe, is needed to bridge between the library process and the operating system.
Through the solitary file svchost.exe, the DLLs efficiently contain and dispense Win32 services as well as neatly facilitate the execution of svchost.exe’s own operations. Acting as a host, the file svchost.exe creates multiple instances of itself. The multiple executions of the file svchost.exe contribute to the stability and security of the operating system by reducing the possibility of a crashing process that causes a domino effect on its neighbor processes, thereby creating a system-wide crash in the machine.
Other instances of SVCHOST.EXE:
1) svchost.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.
2) svchost.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
3) svchost.exe is a process belonging to Microsoft Service Host Process. This could also be a stealth monitoring software that sits in the background and tracks all activities such as keyboard input (including websites visited, passwords etc.) This information can be sent to third parties through email or ftp uploads. If you did not intentionally install this program make sure you remove it to protect your privacy.
*SBIESVC.EXE
-Note: Only those who use Sandboxie Software can have this process, I've included it since it has become natural for me to install this Sandboxie Software after a reformat.
What is sbiesvc.exe?
sbiesvc.exe is a Sandboxie Service from tzuk belonging to Sandboxie
*EXPLORER.EXE
-Very common, it's the desktop that you see everytime you open up your computer. It's the master controller, you cannot see the Start button, the Icons in your desktop when it's not running.
What is explorer.exe?
The explorer.exe file is an executable file for Windows Explorer. In the Microsoft Windows operating system, the explorer.exe file runs and has a graphical user interface that you can see when you are opening hard drives or files. Sometimes, the graphical user interface of the explorer.exe file is referred to as Windows GUI shell or Explorer.
The explorer.exe file was created to replace the Windows 3.x File Manager, which is the older version of the application embedded on previous versions of the MS Windows environment. The explorer.exe file is executed when the user double-clicks on the My Computer desktop icon and the one found in the Start menu. The explorer.exe file was initially used only to navigate or browse files, but as newer versions of Windows were released, it evolved to being a file management system that is task-based.
Other instances of EXPLORER.EXE:
1) explorer.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
*ALG.EXE
-What is alg.exe?
The alg.exe executable allows applications (such as IM clients, RTSP, BitTorrent, SIP, and FTP) from a client computer to dynamically utilize passive TCP/ UDP ports in communicating with known ports on a server. This allows software to access applications that reside on another computer even if there is a firewall.
The alg.exe file’s absence would cause the security protocols to block communication ports, or for network administrators to consciously open numerous ports on the firewall that would create immense network vulnerability and potential threats.
The development of alg.exe was done within the context of computer networking architectures, where it is associated with the Application Level (or Layer) Gateway Service, as well as Network Address Translation, and is designed to supplement the firewall protection of a network.
Recommendation:
alg.exe should not be disabled, required for essential applications to work properly.
*SERVICES.EXE
-What is services.exe?
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.
Other instances of SERVICES.EXE:
1) services.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system
*WINLOGON.EXE
What is winlogon.exe?
winlogon.exe is a process belonging to the Windows login manager. It handles the login and logout procedures on your system. This program is important for the stable and secure running of your computer and should not be terminated.
Other instances of WINLOGON.EXE:
1) winlogon.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
*CSRSS.EXE
-What is csrss.exe?
csrss.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Other instances of CSRSS.EXE:
1) csrss.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
2) The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. As such Csrss.exe provides the critical functions of the operating system, and its termination can result in the Blue Screen of Death being displayedCsrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. Threads supported by csrss.exe are different from processes in that threads are commonly contained within the process, with various threads sharing resources within the same process. The Win32 console is the plain text window in the Windows API system (programs can use the console without the need for image display).In mobile devices such as notebooks and laptops, the process csrss.exe is closely dependent on power management schemes implemented by the system as defined under the Control Panel option.This process should be treated as suspicious if there are two instances running. Always take note of the process location when trying to determine whether or not the process is genuine or malicious.This Windows component should be located in your Windows System directory ie: something similar to C:\Windows\System32\csrss.exe
*SMSS.EXE
-What is smss.exe?
smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager Subsystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.
*SYSTEM IDLE PROCESS
In Windows NT operating systems, the System Idle Process contains one or more kernel threads which run when no other runnable thread can be scheduled on a CPU. For example, there may be no runnable thread in the system, or all runnable threads are already running on a different CPU. In a multiprocessor system, there is one idle thread associated with each CPU.
The threads in the System Idle Process are used by Windows NT to implement CPU power saving. The exact power saving scheme depends on the hardware and firmware capabilities of the system in question. For instance, on x86 processors, the idle thread will run a loop of HLT instructions, which causes the CPU to turn off many internal components and wait until an interrupt request arrives.
The CPU time consumed by the System Idle Process is commonly of interest for end users, as it is a measure of the CPU utilization in their system which is easily accessible through Windows' Task Manager program. There are, however, more detailed sources of such information available through Windows' performance monitoring system (accessible with the perfmon program), which includes more finely grained categorization of CPU time spending. A limited subset of the CPU time categorization is also accessible through the Task Manager, which can display CPU usage by CPU, and categorized by time spent in user vs. kernel code. It should be noted, though, that that information is not calculated from information about the System Idle Process, but from the system's global performance counters.
Other instances of SMSS.EXE:
1) smss.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
*LSASS.EXE
What is lsass.exe?
lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Other instances of LSASS.EXE:
1) lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
2) lsass.exe is registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.
Warning: Multiple instances of LSASS may be running on your pc at one time. Some of these may or may not be the legitimate versions.
Sources:
http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/
http://www.liutilities.com/products/wintaskspro/processlibrary/sbiesvc/
http://www.liutilities.com/products/wintaskspro/processlibrary/alg/
http://www.liutilities.com/products/wintaskspro/processlibrary/explorer/
http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/
http://www.liutilities.com/products/wintaskspro/processlibrary/services/
http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/
http://www.liutilities.com/products/wintaskspro/processlibrary/winlogon/
http://www.liutilities.com/products/wintaskspro/processlibrary/smss/
http://en.wikipedia.org/wiki/System_Idle_Process
*SVCHOST.EXE
-What is svchost.exe?
The file svchost.exe is the Generic Host Process for Win32 Services used for administering 16-bit-based dynamically linked library files (DLL files) including other supplementary support applications.
As operating systems became more complex Microsoft decided to run more software functionality from a dynamic link library (DLL) interface. However DLLs are unable to launch themselves and require at least one executable program, i.e. svchost.exe, is needed to bridge between the library process and the operating system.
Through the solitary file svchost.exe, the DLLs efficiently contain and dispense Win32 services as well as neatly facilitate the execution of svchost.exe’s own operations. Acting as a host, the file svchost.exe creates multiple instances of itself. The multiple executions of the file svchost.exe contribute to the stability and security of the operating system by reducing the possibility of a crashing process that causes a domino effect on its neighbor processes, thereby creating a system-wide crash in the machine.
Other instances of SVCHOST.EXE:
1) svchost.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.
2) svchost.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
3) svchost.exe is a process belonging to Microsoft Service Host Process. This could also be a stealth monitoring software that sits in the background and tracks all activities such as keyboard input (including websites visited, passwords etc.) This information can be sent to third parties through email or ftp uploads. If you did not intentionally install this program make sure you remove it to protect your privacy.
*SBIESVC.EXE
-Note: Only those who use Sandboxie Software can have this process, I've included it since it has become natural for me to install this Sandboxie Software after a reformat.
What is sbiesvc.exe?
sbiesvc.exe is a Sandboxie Service from tzuk belonging to Sandboxie
*EXPLORER.EXE
-Very common, it's the desktop that you see everytime you open up your computer. It's the master controller, you cannot see the Start button, the Icons in your desktop when it's not running.
What is explorer.exe?
The explorer.exe file is an executable file for Windows Explorer. In the Microsoft Windows operating system, the explorer.exe file runs and has a graphical user interface that you can see when you are opening hard drives or files. Sometimes, the graphical user interface of the explorer.exe file is referred to as Windows GUI shell or Explorer.
The explorer.exe file was created to replace the Windows 3.x File Manager, which is the older version of the application embedded on previous versions of the MS Windows environment. The explorer.exe file is executed when the user double-clicks on the My Computer desktop icon and the one found in the Start menu. The explorer.exe file was initially used only to navigate or browse files, but as newer versions of Windows were released, it evolved to being a file management system that is task-based.
Other instances of EXPLORER.EXE:
1) explorer.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
*ALG.EXE
-What is alg.exe?
The alg.exe executable allows applications (such as IM clients, RTSP, BitTorrent, SIP, and FTP) from a client computer to dynamically utilize passive TCP/ UDP ports in communicating with known ports on a server. This allows software to access applications that reside on another computer even if there is a firewall.
The alg.exe file’s absence would cause the security protocols to block communication ports, or for network administrators to consciously open numerous ports on the firewall that would create immense network vulnerability and potential threats.
The development of alg.exe was done within the context of computer networking architectures, where it is associated with the Application Level (or Layer) Gateway Service, as well as Network Address Translation, and is designed to supplement the firewall protection of a network.
Recommendation:
alg.exe should not be disabled, required for essential applications to work properly.
*SERVICES.EXE
-What is services.exe?
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.
Other instances of SERVICES.EXE:
1) services.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system
*WINLOGON.EXE
What is winlogon.exe?
winlogon.exe is a process belonging to the Windows login manager. It handles the login and logout procedures on your system. This program is important for the stable and secure running of your computer and should not be terminated.
Other instances of WINLOGON.EXE:
1) winlogon.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
*CSRSS.EXE
-What is csrss.exe?
csrss.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Other instances of CSRSS.EXE:
1) csrss.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
2) The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. As such Csrss.exe provides the critical functions of the operating system, and its termination can result in the Blue Screen of Death being displayedCsrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. Threads supported by csrss.exe are different from processes in that threads are commonly contained within the process, with various threads sharing resources within the same process. The Win32 console is the plain text window in the Windows API system (programs can use the console without the need for image display).In mobile devices such as notebooks and laptops, the process csrss.exe is closely dependent on power management schemes implemented by the system as defined under the Control Panel option.This process should be treated as suspicious if there are two instances running. Always take note of the process location when trying to determine whether or not the process is genuine or malicious.This Windows component should be located in your Windows System directory ie: something similar to C:\Windows\System32\csrss.exe
*SMSS.EXE
-What is smss.exe?
smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager Subsystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.
*SYSTEM IDLE PROCESS
In Windows NT operating systems, the System Idle Process contains one or more kernel threads which run when no other runnable thread can be scheduled on a CPU. For example, there may be no runnable thread in the system, or all runnable threads are already running on a different CPU. In a multiprocessor system, there is one idle thread associated with each CPU.
The threads in the System Idle Process are used by Windows NT to implement CPU power saving. The exact power saving scheme depends on the hardware and firmware capabilities of the system in question. For instance, on x86 processors, the idle thread will run a loop of HLT instructions, which causes the CPU to turn off many internal components and wait until an interrupt request arrives.
The CPU time consumed by the System Idle Process is commonly of interest for end users, as it is a measure of the CPU utilization in their system which is easily accessible through Windows' Task Manager program. There are, however, more detailed sources of such information available through Windows' performance monitoring system (accessible with the perfmon program), which includes more finely grained categorization of CPU time spending. A limited subset of the CPU time categorization is also accessible through the Task Manager, which can display CPU usage by CPU, and categorized by time spent in user vs. kernel code. It should be noted, though, that that information is not calculated from information about the System Idle Process, but from the system's global performance counters.
Other instances of SMSS.EXE:
1) smss.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
*LSASS.EXE
What is lsass.exe?
lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Other instances of LSASS.EXE:
1) lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
2) lsass.exe is registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.
Warning: Multiple instances of LSASS may be running on your pc at one time. Some of these may or may not be the legitimate versions.
Sources:
http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/
http://www.liutilities.com/products/wintaskspro/processlibrary/sbiesvc/
http://www.liutilities.com/products/wintaskspro/processlibrary/alg/
http://www.liutilities.com/products/wintaskspro/processlibrary/explorer/
http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/
http://www.liutilities.com/products/wintaskspro/processlibrary/services/
http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/
http://www.liutilities.com/products/wintaskspro/processlibrary/winlogon/
http://www.liutilities.com/products/wintaskspro/processlibrary/smss/
http://en.wikipedia.org/wiki/System_Idle_Process
Admin- Admin
- Posts : 408
Join date : 2009-04-25 -
Similar topics» INFORMATION ON SYSTEM PROCESSES PART 2
» INFORMATION ON SYSTEM PROCESSES PART 1
» REGISTRY PART 4 (BACKING UP PART 2)
» FOR MORE INFORMATION
» HOW TO INSTALL AND USE ADVANCED SYSTEM CARE
» INFORMATION ON SYSTEM PROCESSES PART 1
» REGISTRY PART 4 (BACKING UP PART 2)
» FOR MORE INFORMATION
» HOW TO INSTALL AND USE ADVANCED SYSTEM CARE
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|