About Windows Process

xiaoxiao2021-03-06 53

[system process] alg.exe csrss.exe

DDHELP.EXE DLLHOST.EXE Explorer.exe

inetinfo.exe internat.exe kernel32.dll

Lsass.exe mdm.exe mmtask.tsk

Mprexe.exe msgsrv32.exe mstask.exe

Regsvc.exe rpcss.exe service.exe

SMSS.exe snmp.exe spool32.exe

Spoolsv.exe stisvc.exe svchost.exe

System taskmon.exe tcpsvcs.exe

Winlogon.exe Winmgmt.exe

it's necessary

Unnecessary

General procedure

Absr.exe acrobat.exe acrord32.exe

Agentsvr.exe aim.exe airsvcu.exe

AlogServ.exe avconsol.exe avsynmgr.exe

Backweb.exe bcb.exe cagc.exe

ccapp.exe cdplayer.exe charmap.exe

Cidaemon.exe cisvc.exe cmd.exe

CMESYS.EXE CTFMON.EXE CTSVCCDA.EXE

Cutftp.exe defWatch.exe devldr32.exe

DirectCD.exe Dreamweaver.exe em_exec.exe

Excel.exe Findfast.exe FrontPage.exe

gmt.exe hh.exe hidserv.exe

ICQ.EXE IExplore.exe Irmon.exe

Kodakimage.exe loadingqm.exe loadingwc.exe

Mad.exe mcshield.exe mgabg.exe

mmc.exe mobsync.exe mplayer.exe

MPlayer2.exe msaccess.exe msbb.exe

Msdtc.exe msiexec.exe msimn.exe

Msmsgs.exe msoobe.exe mspaint.exe

Mspmspsv.exe mySQLD-NT.EXE NAVAPSVC.EXE

NavaPw32.exe ndtect.exe netscape.exe

Notepad.exe ntbackup.exe ntvdm.exe

NVSVC32.EXE NWIZ.EXE OSA.EXE

Outlook.exe Photoshop.exe Point32.exe

PowerPnt.exe Pstores.exe qttask.exe

Realplay.exe rnaapp.exe rtvscan.exe

Rundll32.exe SndRec32.exe Sndvol32.exe

Spoolss.exe Starter.exe Systray.exe

Tapsrv.exe userinit.exe visio.exe

vptray.exe vshwin32.exe vsmon.exe

vSstat.exe Wab.exe WebScanx.exe

Winamp.exe WinHlp32.exe WinoA386.MOD

WinProj.exe WinRoute.exe Winword.exe

Winzip32.exe wkcalrem.exe wkqkpick.exe

WMPlayer.exe WordPad.exe wowexec.exeypager.exe

Basic system processes (that is, these processes are the basic conditions of the system run, with these processes, the system can run normally):

SMSS.exe session manager

CSRSS.EXE subsystem server process

Winlogon.exe management user login

Services.exe contains many system services

LSAss.exe Manages IP Security Policy and launch Isakmp / Oakley (IKE) and IP security drivers. (system service)

Generate session keys and grant a service credentials for interactive client / server authentication (Ticket). (system service)

SVCHOST.EXE contains many system services

svchost.exe

Spoolsv.exe loads files into memory for later printing. (system service)

Explorer.exe Explorer

Internat.exe Pinyin icon

Additional system processes (these processes are not necessary, you can increase or decrease through service manager as needed):

MStask.exe allows programs to run at the specified time. (system service)

Regsvc.exe allows remote registry * to work. (system service)

Winmgmt.exe provides system management information (system service).

INetInfo.exe provides FTP connection and management through the management unit of Internet Information Services. (system service)

TLNTSVR.EXE allows remote users to log in to the system and run console programs using the command line. (system service)

Allows the Web and FTP services to be managed via the Internet information service. (system service)

TFTPD.exe implements TFTP Internet standards. This standard does not require username and password. Part of the remote installation service. (system service)

Termsrv.exe offers multi-session environments to allow client devices to access virtual Windows 2000 Professional desktop sessions and Windows-based programs running on the server. (system service)

DNS.exe Answer Query and Update Request for Domain Name System (DNS) name. (system service)

The following services rarely use, the above services are harmful to security, if not necessary should turn off

TCPSVCS.EXE provides the ability to remotely install Windows 2000 Professional on the PXE remote boot client computer. (system service)

Support the following TCP / IP services: Character Generator, Daytime, Discard, Echo, and Quote of The Day. (system service)

Ismserv.exe allows you to send and receive messages between Windows Advanced Server sites. (system service)

UPS.exe management is connected to the computer's uninterruptible power supply (UPS). (system service)

Wins.exe provides NetBIOS Name Services for TCP / IP customers registered and parsing NetBIOS names. (system service)

Llssrv.exe license logging service (system service)

NTFRS.EXE Synchronize files in the maintenance file directory content between multiple servers. (system service)

Rssub.exe controls media used to remotely store data. (system service)

Locator.exe Manages the RPC Name Service Database. (system service)

Lserver.exe registered client license. (system service)

DFSSVC.exe Manages logical volumes distributed in a local area network or wide area network. (system service)

Clipsrv.exe supports the "Scrapbook Viewer" so that you can access the scrap page from the remote scrapbook. (system service)

MSDTC.exe is a transaction, which is distributed in more than two databases, messages, file systems, or other transaction protection resource managers. (system service)

Faxsvc.exe Helps you send and receive faxes. (system service)

CISVC.EXE INDEXING Service (System Service) Dmadmin.exe System Management Service for Disk Management Request. (system service)

MnMsrvc.exe allows users to access the Windows desktop remotely using NetMeeting remotely. (system service)

NetDe.exe provides network transfer and security features of Dynamic Data Exchange (DDE). (system service)

SMLogSvc.exe Configuration Performance * Logs and Alerts. (system service)

RSVP.exe provides network signals and local communication control installation capabilities for programs and control applications that depend on quality service (QoS). (system service)

RSENG.EXE coordinates the service and management tools for storing uncommon data. (system service)

Rsfsa.exe manages the * work of the remote stored file. (system service)

Grovel.exe Scanning the Duplicate file on the zero backup storage (SIS) volume and points the duplicate file to a data storage point to save disk space. (system service)

Scardsvr.exe manages and accesss control over smart cards inserted in your computer smart card reader. (system service)

SNMP.exe contains the agent to monitor the network device and report to the network console workstation. (system service)

SNMPTrap.exe Receives the trap message generated by the local or remote SNMP agent and then passes the message to the SNMP manager running on this computer. (system service)

Utilman.exe launches and configures an auxiliary tool from a window. (system service)

Msiexec.exe is installed, repaired, and deletes software based on the command contained in the .msi file. (system service)

Win2k running process

Svchost.exe

Svchost.exe files are a normal host process name for services running from a dynamic connection library. The svhost.exe file is positioned under the% SystemRoot% System32 folder of the system. When startup, Svchost.exe checks the location of the registry to build a list of service that requires load. This will cause multiple svchost.exe to run at the same time. Each SVCHOST.EXE reply contains a set of services, so that a separate service must rely on how SVCHOST.EXE is started there. This makes it easier to control and find errors.

The SVCHOST.EXE group is identified by the following registry value.

HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSVCHOST

Each value under this key represents a separate SVCHOST group, and when you are looking at the activity process, it displays as a separate example. Each key value is the value of the REG_MULTI_SZ type and includes services running within the SVCHOST group. Each SVCHOST group contains one or more service names selected from the registry value, and the parameter value of this service contains a serviceDLL value. HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESSSSSSSERVICE

more information

In order to see the service running in the SVCHOST list.

Start - run - knock in cmd

Then in the TLIST -S (TLIST should be the winter winter in the Win2K toolbox)

TLIST shows a list of event processes. Switch -s Displays a list of active services in each process. If you want to know more about the process, you can knock TLIST PID.

TLIST shows two examples of SVCHOST.exe run.

0 System Process

8 system

132 SMSS.exe

160 CSRSS.EXE TITLE:

180 Winlogon.exe Title: NetDDE Agent

208 Services.exe

SVCS:

Appmgmt, Browser, DHCP, DMSERVER, DNSCACHE, EventLog, Lanmanserver, Lanmanworkstation, Lmhosts, Messenger,

Plugplay, ProtectedStorage, Seclogon, Trkwks, W32Time, WMI220 LSASS.EXE SVCS: Netlogon, PolicyAgent, Samss

404 SVCHOST.EXE SVCS: RPCSS

452 Spoolsv.exe SVCS: SpoOLOLER

544 CISVC.EXE SVCS: CISVC

556 Svchost.exe SVCS: Eventsystem, Netman, NTMSSVC, Rasman, Sens, Tapsrv

580 Regsvc.exe SVCS: RemoteRegistry

596 MStask.exe SVCS: Schedule

660 SNMP.EXE SVCS: SNMP

728 Winmgmt.exe SVCS: WinMgmt

852 Cidaemon.exe Title: OLEMAINTHREADWNDNAME

812 Explorer.exe Title: Program Manager

1032 Osa.exe Title: Reminder

1300 cmd.exe Title: D: Winnt5System32cmd.exe - TLIST -S

1080 Mapisp32.exe Title: WMS IDLE

1264 Rundll32.exe Title:

1000 mmc.exe title: Device Manager

1144 TList.exe

In this example, the registry sets two groups.

HKEY_LOCAL_MACHINESOFTWAREMICROFTWINDOWS NTCURRENTVERSIONSVCHOST:

Netsvcs: REG_MULTI_SZ:

Eventsystem IAS iPrip Irmon Netman NWSAPAGENT RASAUTO RASMAN RemoteAccess Sens SharedAccess Tapsrv NTMSSVC

RPCSS: REG_MULTI_SZ: RPCSS

SMSS.exe

CSRSS.EXE

This is part of the user mode Win32 subsystem. CSRSS acts on behalf of the client / server running subsystem and a basic subsystem must have been running. CSRSS is responsible for controlling Windows, creates or deletes threads and some 16-bit virtual MS-DOS environments.

Explorer.exe

This is a user's shell (I really don't know how to translate shell), and we look like task bars, desktops, etc. This process is not as an important process as an important process, you can stop it from the task manager, or restart.

It usually does not have any negative impact on the system.

INTERNAT.EXE

This process can be turned off from the task manager.

INTERNAT.EXE starts running at startup. It loads different input points specified by the user. The input point is the location from the registry

HKEY_USERS.DEFAULTKEYBOARD LAYOUTPRELOAD is loaded.

INTERNAT.EXE loads the "En" icon into the system's icon area, allowing users to easily convert different input points.

When the process is stopped, the icon will disappear, but the input point can still change by the control panel.

LSASS.EXE