Windows Server Troubleshooting - Default Processes

Click here to start saving with ING DIRECT!

Home | Up | Methodology | Tools | Memory | Processor | Registry | File System | Network | Active Directory | Contents

Get the Book

Major Topics
File System
Active Directory
Other Topics
Default Processes
Security Context
DLL hell
More Detail

eXpert Genealogy

Memory from

2003-2006 Team Approach Limited
All rights reserved

What processes are normally running?

Tools such as Task Manager, System Monitor, TLIST, etc. provide a list of processes. To identify unexpected processes, you need to know which processes are normal running as part of Windows. The following table lists some normal process and their purpose.

From Microsoft Knowledge Base Article Q263201

Process end with Taskmgr Purpose
Csrss.exe cannot This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and deleting threads, and some parts of the 16-bit virtual MS-DOS environment.
Explorer.exe can This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped and restarted from Task Manager, usually with no negative side effects on the system.
Internat.exe can Internat.exe runs at startup; it loads the different input locales specified by the user. The locales to be loaded are taken from the following registry key:
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
Internat.exe loads the "EN" icon into the system tray, allowing the user to easily switch between locales.
Lsass.exe cannot This is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell.
Mstask.exe cannot This is the task scheduler service, responsible for running tasks at a time predetermined by the user.
Smss.exe cannot This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).
Spoolsv.exe cannot The spooler service is responsible for managing spooled print/fax jobs.
Svchost.exe cannot This is a generic process, which acts as a host for other processes running from DLLs; therefore, don't be surprised to see more than one entry for this process. To see what processes are using Svchost.exe, use Tlist.exe.
Services.exe cannot This is the Services Control Manager, which is responsible for starting, stopping, and interacting with system services.
System cannot Most system kernel-mode threads run as the System process.
System Idle Process cannot This process is a single thread running on each processor, which has the sole task of accounting for processor time when the system isn't processing other threads.
Taskmgr.exe can This is the process for Task Manager itself.
Winlogon.exe cannot This is the process responsible for managing user logon and logoff. Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.
Winmgmt.exe cannot Winmgmt.exe is a core component of client management in Windows 2000. This process starts when the first client application connects.