|
| |
 What processes are normally running?
Tools such as Task Manager, System Monitor, TLIST, etc.
provide a list of processes. To identify unexpected processes, you need to know which
processes are normal running as part of Windows. The following table lists some normal process and their
purpose.
From Microsoft Knowledge Base Article Q263201
|
Process |
end with Taskmgr |
Purpose |
| Csrss.exe |
cannot |
This is the user-mode portion of the Win32
subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for
client/server run-time subsystem and is an essential subsystem that must be
running at all times. Csrss is responsible for console windows, creating
and deleting threads, and some parts of the 16-bit virtual MS-DOS
environment. |
| Explorer.exe |
can |
This is the user shell, which we see as the
familiar taskbar, desktop, and so on. This process isn't as vital to the
running of Windows as you might expect, and can be stopped and restarted
from Task Manager, usually with no negative side effects on the system.
|
| Internat.exe |
can |
Internat.exe runs at
startup; it loads the different input locales specified by the user. The
locales to be loaded are taken from the following registry key:
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
Internat.exe loads the "EN" icon into the system tray, allowing the user to
easily switch between locales.
|
| Lsass.exe |
cannot |
This is the local security authentication
server, and it generates the process responsible for authenticating users
for the Winlogon service. This process is performed by using authentication
packages such as the default Msgina.dll. If authentication is successful,
Lsass generates the user's access token, which is used to launch the initial
shell.
|
| Mstask.exe |
cannot |
This is the task scheduler service,
responsible for running tasks at a time predetermined by the user.
|
| Smss.exe |
cannot |
This is the session manager subsystem, which
is responsible for starting the user session. This process is initiated by
the system thread and is responsible for various activities, including
launching the Winlogon and Win32 (Csrss.exe) processes and setting system
variables. After it has launched these processes, it waits for either
Winlogon or Csrss to end. If this happens "normally," the system shuts down;
if it happens unexpectedly, Smss.exe causes the system to stop responding
(hang). |
| Spoolsv.exe |
cannot |
The spooler service is responsible for
managing spooled print/fax jobs. |
| Svchost.exe |
cannot |
This is a generic process, which acts as a
host for other processes running from DLLs; therefore, don't be surprised to
see more than one entry for this process. To see what processes are using
Svchost.exe, use Tlist.exe. |
| Services.exe |
cannot |
This is the Services Control Manager, which
is responsible for starting, stopping, and interacting with system services.
|
| System |
cannot |
Most system kernel-mode threads run as the
System process. |
| System Idle Process |
cannot |
This process is a single thread running on each processor, which has the
sole task of accounting for processor time when the system isn't processing
other threads. |
| Taskmgr.exe |
can |
This is the process for Task Manager itself.
|
| Winlogon.exe |
cannot |
This is the process responsible for managing
user logon and logoff. Winlogon is active only when the user
presses CTRL+ALT+DEL, at which point it shows the security dialog box.
|
| Winmgmt.exe |
cannot |
Winmgmt.exe is a core
component of client management in Windows 2000. This process starts
when the first client application connects. |
| |
|
