Windows System Process Introduction
提 交: Aku
Windows has been used for so long. It is also known about the system process. Today, "three" told me in his machine, let him see if there is a suspicious process, answering is very interesting, I don't know what it is useful. At the same time, it also feels that it is necessary to make a brief summary of the process of the Windows system to facilitate everyone to check. Some of the contents of the text quoted from the "Windows Process Details", partially translated from English original (system process), no content, please refer to it. (1) [system idle process] Process file: [System process] or [system process] process Name: Windows Memory Processing System Process Description: Windows page memory management process, with level 0 priority. Temaist: This process is running on each processor as a single-wire and dispatches the time of the processor when the system does not handle other threads. The larger the CPU usage indicates that the CPU resources available, the smaller the number, indicating that the CPU resource is tight. (2) [ALG.EXE] process file: ALG OR ALG.EXE process Name: Application layer gateway service Description: This is an application layer gateway service for network sharing. Introduction: A gateway communication plug-in manager provides the support of the third-party protocol plugin for the Internet Connection Sharing Services and Internet Connection Firewall Services. (3) [CSRSS.exe] process file: CSRSS or CSRSS.EXE process Name: Client / Server Runtime Server Subsystem Description: Client Services subsystem to control the Windows graphics related subsystem. Today: This is part of the user mode Win32 subsystem. CSRSS acts on behalf of the client / server running subsystem and a basic subsystem must have been running. CSRSS is used to maintain Windows control, create or delete threads and some 16-bit virtual MS-DOS environments. (4) [DDHELP.EXE] process file: DDHELP OR DDHELP.EXE process Name: DirectDraw Helper Description: DirectDraw Helper is DirectX This component is used for graphics services. Summary: DirectX Help (5) [DLLHOST.EXE] Process file: DLLHOST or DLLHOST.EXE process Name: DCOM DLL HOST Process Description: DCOM DLL HOST Process Support Based on COM object support DLL to run Windows programs. Summary: COM agent, the more DLL components of the system, the more CPU resources and memory resources occupied by DLLHOST, and the "shock wave killer" in August is probably more familiar with it. (6) [Explorer.exe] Process file: Explorer or Explorer.exe Process Name: Program Management Description: Windows Program Manager or Windows Explorer is used to control Windows graphics shell, including start menus, taskbar, desktop, and file management. Tour: This is a user's shell, which looks like task bars, desktop, and more. Or it is the resource manager, don't believe you do it in the run. It is still important to the stability of the Windows system, and the red code is to find it, and create Explorer.exe under C and D.
(7) [inetinfo.exe] process file: inetInfo or inetinfo.exe process Name: IIS Admin Service Helper Description: InetInfo is part of Microsoft Internet Infomation Services (IIS) for debug debugging. Introduction: IIS service processes, blue code is using the buffer buffer overtinfo.exe buffer. (8) [INTERNAT.EXE] Process file: INTERNAT or INTERNAT.EXE process Name: Input locales Description: This input control icon is used to change similar countries settings, keyboard types, and date formats. INTERNAT.EXE starts running at startup. It loads different input points specified by the user. The input point is this position hkey_users / .default / keyboard layout / preload loading content from the registry. INTERNAT.EXE loads the "En" icon into the system's icon area, allowing users to easily convert different input points. When the process is stopped, the icon will disappear, but the input point can still change by the control panel. Describe: It is mainly used to control the input method. When your taskbar does not have a "en" icon, the system has the INTERNAT.EXE process, and you may wish to end the process and execute the INTERNAT command in the run. (9) [kernel32.dll] process file: kernel32 or kernel32.dll process Name: Windows Shell Process Description: Windows Shell Process is used to manage multi-thread, memory, and resources. Read: More Content Browse illegal operations and kernel32 Interpretation (10) [lsass.exe] process file: LSAss or lsass.exe process Name: Local Security Permission Service Description: This Local Security Permission Service Controls Windows Security Mechanism. Manage IP Security Policy and launch Isakmp / Oakley (IKE) and IP security drivers. Tour: This is a local security authorization service, and it will generate a process for authorized users using Winlogon services. This process is performed by using an authorized package, such as the default Msgina.dll. If the authorization is successful, LSASS will generate the user's entry token, let the table use the initial shell. Other processes initialized by users will inherit this token. The Windows Active Directory Remote Stack Overflow Vulnerability is the use of the LDAP 3 search request function lacks the correct buffer boundary check for the user submission request, builds more than 1000 "and" requests, and send it to the server, causing the trigger stack overflow to make LSASS .exe service crashes, the system restarts within 30 seconds. (11) [mdm.exe] Process file: MDM OR MDM.EXE process Name: Machine Debug Manager Description: Debug Error Manage The Microsoft Script Editor script editor in Microsoft Office is used to debug the application and Microsoft Office.
Summant: MDM.EXE's main task is for application software, saying it, talking out, if you see the 0 byte file starting at the beginning of FFF, they are MDM.exe in troubleshooting In the process, some temporary files are generated. These files are not automatically cleared when the operating system is turned off, so these FFF's blame file is some of the files named CHK, which is unused, can be arbitrarily deleted without Will have adverse effects on the system. For the 9X system, as long as there is Mdm.exe in the system, it is possible to generate blame files starting with FFF. You can stop using the following method to stop running mdm.exe to completely delete the blame file starting with FFF: first press "Ctrl Alt Del" key key, select "MDM" in the "Close Program" window that pops up "," The End Task button will stop MDM.EXE in the background run, then rename MDM.EXE (in the C: / Windows / System Directory) to MDM.BAK. Run the MSconfig program and cancel the "Machine Debug Manager" in the startup page. This will not let MDM.exe start, and then click the "OK" button to end the MSConfig program and restart the computer. Also, if you use the IE 5.x or more version of the browser, it is recommended to disable script calls (click "Tools → Internet Options → Advanced → Disable Script Call"), which avoids the blame file starting with FFF. (12) [mmtask.tsk] process file: MMTASK or MMTASK.TSK process Name: Multimedia support process description: This Windows multimedia rear program controls multimedia services, such as MIDI. Introduction: This is a task scheduling service, responsible for the operation of the task run in advance to run at a certain time. (13) [MPREXE.EXE] Process file: MPREXE or MPREXE.EXE process Name: Windows Routing Process Description: Windows routing process includes issuing a network request to the appropriate network section. Tour: This is the core of Windows 32-bit network interface service process file, the core of the network client component. Impression "A-311 Trojan (Trojan.a-311.104)" also creates MPREXE.exe processes in memory, which can be completed through resource management. (14) [msgsrv32.exe] process file: MSGSRV32 or msgsrv32.exe process name: Windows messenger service description: Windows messenger service calls Windows driver and program management at startup. Top: Msgsrv32.exe Application, Win9X, if the sound card or graphics driver configuration is incorrect, will cause a crash or prompt Msgsrv32.exe error. (15) [MStask.exe] process file: MStask or mstask.exe process name: Windows program task description: Windows plan task is used to set inheritance or date backup or run. Introduction: Plan tasks, it starts from the registry. Therefore, through the program task program implements self-starting programs not seeing its file name in system information, once it is deleted or disabled from the registry, the programs launched by the planned task cannot be run automatically. Win9x's system startup will open a planned task, you can stop it from starting by double-clicking the Scheduled Task Icon - Advanced - Termination Plan Task.
In addition, the attacker often uses the planned task during the attack, including uploading files, promoting permissions, planting lattice, cleaning footprints. (16) [regc.exe] Process file: Regsvc or regc.exe process Name: Remote Registry Service Description: Remote Registry Server is used to access the registry of the remote computer. (17) [rpcss.exe] process file: RPCSS or rpcss.exe process Name: RPC portmapper Description: Windows RPC Port Mapping Process Processing RPC Call (Remote Module Call) and map them to the specified service provider. Introduction: 98 when it is not loaded when booting interpreter or, if there are problems in use, can be directly in the registry HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunHKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunServices add "String value", orientation to "c: / windows / system / rpcss". (18) [Services.exe] Process file: Services or Services.exe Process Name: Windows Service Controller Description: Manage Windows services. Summary: Most system core mode processes are run as a system process. Open the service in the management tool, you can see that there are many services that are calling% systemroot% / system32 / service.exe (19) [smss.exe] process file: SMSS or smss.exe process name: session manager subs description : This process serves as a session management subsystem to initialize system variables, and the MS-DOS driver name is similar to LPT1 and COM, calling the Win32 shell subsystem and running in the Windows landing process. Simply: This is a session management subsystem and is responsible for starting a user session. This process is initialized through the system process and reflects many activities, including Winlogon, Win32 (CSRSS.exe) threads that have been running, and set system variables. After it starts these processes, it waits for Winlogon or CSRSS to end. If these processes are normal, the system is turned off. If something unpredictable occurs, smss.exe will stop the system to stop responding (that is, hangs). (20) [snmp.exe] Process file: SNMP or SNMP.exe Process Name: Microsoft SNMP Agent Description: Windows Simple Network Protocol Agent (SNMP) is used to listen and send request to the appropriate network part. Summary: Responsible for receiving SNMP request packets, sending response packets and handling interfaces with WinsockApi as required. (21) [spool32.exe] process file: Spool32 or spool32.exe process Name: Printer Spooler Description: Windows Print Task Control Program for printer Ready.
(22) [spoolsv.exe] process file: Spoolsv or spoolsv.exe process name: Printer Spooler Service Description: Windows Print Task Control Program for printer Ready. Subworked: SpoOLER service is the print and fax jobs in the management buffer pool. (23) [stisvc.exe] process file: Stisvc or Stisvc.exe process Name: Still Image Service Description: Still Image Service is used to control the scanner and digital camera to connect to Windows. (24) [SVCHOST.EXE] Process file: SVCHOST or SVCHOST.EXE process Name: Service host process Description: Service Host Process is a standard dynamic connection library host processing service. Sports: SVCHOST.EXE files for those from dynamics The service running in the library is an ordinary host process name. The svhost.exe file is positioned under the% SystemRoot% / System32 folder of the system. When startup, Svchost.exe checks the location of the registry to build a list of service that requires load. This will cause multiple svchost.exe to run at the same time. Each SVCHOST.EXE reply contains a set of services, so that a separate service must rely on how SVCHOST.EXE is started there. This makes it easier to control and find errors. Windows 2K typically has 2 SVCHOST processes, one is a RPCSS (Remote Procedure Call) service process, and another is a SVCHOST.EXE shared by many service. In Windows XP, there are generally more than 4 SVCHOST.exe service processes, and more in Windows 2003 Server. (25) [taskmon.exe] process file: Taskmon or taskmon.exe process Name: Windows Task Optimizer Description: Windows Task Optimizer Monitor the frequency you use a program, and organize your hard drive by loading frequently used programs . Typographic: Task Manager, its function is to monitor the execution of the program and report it at any time. Ability to monitor programs that run in a window in the taskbar, open and end the program, and directly call the shutdown system dialog box. (26) [TCPSVCS.exe] Process file: TCPSVCS or TCPSVCS.exe Process Name: TCP / IP Services Description: TCP / IP Services Application Supports TCP / IP Connection LAN and Internet. (27) [Winlogon.exe] process file: Winlogon or Winlogon.exe process name: Windows Logon Process Description: Windows NT User Logging Program. This process is managing user login and exits. And Winlogon is activated when the user presses Ctrl Alt DEL, and the security dialog box is displayed.
