Understand system processes, there will be a certain help for understanding the operation and discovery of the system! I found this article today and I didn't dare to enjoy it. Please refer to you!
System process Raiders! ! ! ! The most basic system process (that is, these processes are the basic conditions of the system, there are these processes, the system can run normally): SMSS.exe session manager CSRSS.EXE subsystem server process Winlogon.exe management user login Services .exe contains many system services LSAss.exe management IP security policies and launching Isakmp / Oakley (IKE) and IP security drivers. (System Services) Generate session keys and grants a service credentials (Ticket) for interactive client / server authentication. (System Services) SVCHOST.EXE contains many system services SVCHOST.EXE SPOOLSV.EXE loads files into memory for later printing. (System Services) Explorer.exe Explorer INTERNAT.EXE Pinyin icon Attached System Process (these processes are not necessary, you can increase or decrease by service manager as needed): MStask.exe allows programs in specified Time operation. (System Services) Regsvc.exe allows you to make a remote registration table. (System Services) Winmgmt.exe Provides System Management Information (System Services). INetInfo.exe provides FTP connection and management through the management unit of Internet Information Services. (System Services) TLNTSVR.EXE allows remote users to log in to the system and run console programs using the command line. (System Services) Allows the Web and FTP services to be managed through the management unit of Internet information. (System Services) TFTPD.exe implements TFTP Internet standards. This standard does not require username and password. Part of the remote installation service. (System Services) TERMSRV.EXE provides multi-session environments to allow client devices to access virtual Windows 2000 Professional desktop sessions and running Windows-based programs on the server. (System Services) DNS.exe Answer Query and Update Request for Domain Name System (DNS) name. (System Services) The following services are rarely used, the above services are harmful to security, and if not necessary should turn off TCPSVCS.exe to provide remote to install Windows 2000 PROFESSIONAL remotely on the PXE remote boot client computer. (System Services) Support the following TCP / IP services: Character Generator, Daytime, Discard, Echo, and Quote of The Day. (System Services) ISMSERV.EXE allows you to send and receive messages between Windows Advanced Server sites. (System Services) UPS.exe Management Connect to the Uninterruptible Power Supply (UPS) of your computer. (System Services) Wins.exe Provides NetBIOS Name Services for registration and parsing of NetBIOS names for TCP / IP customers. (System Services) Llssrv.exe License Logging Service (System Service) NTFRS.exe Synchronization of the contents of the file directory content between multiple servers. (System Services) Rssub.exe controls media used to remotely store data. (System Services) Locator.exe Manages the RPC Name Service Database. (System Services) LserveR.exe Register a client license. (System Services) DFSSVC.exe Management Distributed on LAN or WAN to logical volumes. (System Services) Clipsrv.exe supports the "Scrapbook Viewer" so that you can access the scrap page from the remote scrapbook. (System Services) MSDTC.exe is a transaction, which is distributed in more than two databases, message queues, file systems, or other transaction protection resource managers. (System Services) FaxSvc.exe Helps you send and receive faxes. (System Services) CISVC.EXE INDEXING Service (System Service) Dmadmin.exe System Management Services for Disk Management Request.
(System Services) MnMsrvc.exe allows users to access Windows desktops remotely using NetMeeting. (System Services) NetDe.exe provides network transfer and security features of Dynamic Data Exchange (DDE). (System Services) SMLogSvc.exe Configure Performance Logs and Alerts. (System Services) RSVP.exe provides network signals and local communication control installation capabilities for relying on quality service (QoS) programs and control applications. (System Services) RSENG.EXE Coordinates the service and management tools used to store uncommon data. (System Services) RSFSA.EXE Hello Hello, you manage the files of remote storage. (System Services) Grovel.exe Scanning Zero Backup Storage (SIS) Volumes and repeated file points to a data storage point to save disk space. (System Services) SCARDSVR.EXE manages and accesss control over smart cards inserted in your computer smart card reader. (System Services) SNMP.exe contains an agent to monitor network devices and report to the network console workstation. (System Services) SNMPTrap.exe Receives the trap message generated by the local or remote SNMP agent and then passes the message to the SNMP manager running on this computer. (System Services) Utilman.exe Starts and configures auxiliary tools from a window. (System Services) Msiexec.exe is installed, repaired, and deletes software based on the commands included in the .msi file. (System Service) Detailed Description:
Win2k runs the SVCHOST.EXE SVCHOST.EXE file is a normal host process name for services running from the dynamic connection library. The svhost.exe file is positioned under the% SystemRoot% / System32 folder of the system. When startup, Svchost.exe checks the location of the registry to build a list of service that requires load. This will cause multiple svchost.exe to run at the same time. Each SVCHOST.EXE reply contains a set of services, so that a separate service must rely on how SVCHOST.EXE is started there. This makes it easier to control and find errors. The SVCHOST.EXE group is identified by the following registry value.
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CURRENTVERSION / SVCHOST Each value under this key represents a separate SVCHOST group and it is displayed as a separate example when you are looking at the activity process. Each key value is the value of the REG_MULTI_SZ type and includes services running within the SVCHOST group. Each SVCHOST group contains one or more service names selected from the registry value, and the parameter value of this service contains a serviceDLL value. HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / Service
More information In order to see the services running in the SVCHOST list. Start - Run - Type CMD and then type TLIST -S (TLIST should be the winter winter in the Win2K toolbox) TLIST shows a list of event processes. Switch -s Displays a list of active services in each process. If you want to know more about the process, you can knock TLIST PID.
TLIST shows two examples of SVCHOST.exe run. 0 System Process 8 System 132 smss.exe 160 csrss.exe Title: 180 winlogon.exe Title: NetDDE Agent 208services.exe Svcs: AppMgmt, Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, LanmanWorkstation, LmHosts, Messenger, PlugPlay, ProtectedStorage, seclogon, TrkWks, W32Time, Wmi 220 lsass.exe Svcs: Netlogon, PolicyAgent, SamSs 404 svchost.exe Svcs: RpcSs 452 spoolsv.exe Svcs: Spooler 544 cisvc.exe Svcs: cisvc 556 svchost.exe Svcs: EventSystem, Netman , NtmsSvc, RasMan, SENS, TapiSrv 580 regsvc.exe Svcs: RemoteRegistry 596 mstask.exe Svcs: Schedule 660 snmp.exe Svcs: SNMP 728 winmgmt.exe Svcs: WinMgmt 852 cidaemon.exe Title: OleMainThreadWndName 812 explorer.exe Title: Program Manager 1032 Osa.exe Title: Reminder 1300 cmd.exe Title: D: /Winnt5/System32/cmd.exe - TLIST -S 1080 Mapisp32.exe Title: WMS iDLE 1264 Rundll32.exe Title: 1000 mmc.exe Title: Device Manager 1144 TLIST.EXE sets two groups in this example. HKEY_LOCAL_MACHINE / Software / Microsoft / Windows NT / CurrentVersion / Svchost: netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc rpcss: Reg_Multi_SZ: RpcSssmss.exe
CSRSS.EXE
This is part of the user mode Win32 subsystem. CSRSS acts on behalf of the client / server running subsystem and a basic subsystem must have been running. CSRSS is responsible for controlling Windows, creates or deletes threads and some 16-bit virtual MS-DOS environments.
Explorer.exe This is a user's shell (I really don't know how to translate shell), we look like task bars, desktops, etc. This process is not as an important process as an important process, you can stop it from the task manager, or restart. It usually does not have any negative impact on the system.
INTERNAT.EXE
This process can be turned off from the task manager. INTERNAT.EXE starts running at startup. It loads different input points specified by the user. The input point is this position hkey_users / .default / keyboard layout / preload loading content from the registry. INTERNAT.EXE loads the "En" icon into the system's icon area, allowing users to easily convert different input points. When the process is stopped, the icon will disappear, but the input point can still change by the control panel.
LSASS.exe This process cannot be turned off from the task manager. This is a local security license service, and it will generate a process for authorized users using Winlogon services. This process is performed by using an authorized package, such as the default Msgina.dll. If the authorization is successful, LSASS will generate the user's entry token, let the table use the initial shell. Other processes initialized by users will inherit this token. MStask.exe This process is not targeted from the task manager. This is a task scheduling service, responsible for the operation of the task running in advance to run at a certain time.
SMSS.exe This process cannot be turned off from the task manager. This is a session management subsystem that is responsible for starting a user session. This process is initialized through the system process and reflects many activities, including Winlogon, Win32 (CSRSS.exe) threads that have been running, and set system variables. After it starts these processes, it waits for Winlogon or CSRSS to end. If these processes are normal, the system is turned off. If something unpredictable occurs, smss.exe will stop the system to stop responding (that is, hangs).
Spoolsv.exe This process cannot be turned off from the task manager. The spooler service is the print and fax jobs in the management buffer pool.
Service.exe This process cannot be turned off from the task manager. Most system core mode processes are run as a system process.
System iDLE Process does not be turned off from the task manager. This process is on each processor as a single-threaded operation and dispatches the processor when the system does not handle other threads.
Winlogon.exe This process is managed by user login and launch. And Winlogon is activated when the user presses Ctrl Alt DEL, and the security dialog box is displayed.
Winmgmt.exe Winmgm is the core component of Win2000 client management. When the client application is connected or when the manager needs his own service, this process is initialized
Taskmagr.exe, haha, is the task manager.