Security advice
- CPU activity
- Window XP processes
- Windows ports
- Updating drivers
Windows XP processes
To view what processes are running on your windows machine follow the following steps:
- Right Click on the toolbar at the bottom of the page and select Task Manager. Alternatively press Ctrl + Alt + Delete and select Task Manager
Click Task Manager - Select the Process tab and click on User Name to sort list by User Name.
Click User Name field
We can see a lot of processes in the above image. We will go through the processes shown grouping by User Name and starting with the common system processes and then move onto the unique processes that the logged in user (Steve) has started.
| Process File | Process Name | Description | Company | Risk |
| LOCAL SERVICE | ||||
| svchost.exe | Service Host Process | This application works as a host process for services that run from dynamic link libraries. | Microsoft Corp. | No |
| alg.exe | Application Layer Gateway Service | This process is part of Internet Connection Sharing application and Internet Connection Firewall for Windows XP. | Microsoft Corp. | No |
| NETWORK SERVICE | ||||
| svchost.exe | Service Host Proces | This application works as a host process for services that run from dynamic link libraries. | Microsoft Corp. | No |
| SYSTEM | ||||
| vsmon.exe | True Vector Internet Monitor | This process is associated with ZoneAlarm personal firewall, which monitors Internet traffic and generates alerts by following the security rules that users configure in Zone Alarm. | Zone Labs Inc. | No |
| smss.exe | Session Manager Subsystem | Thi is the application that is used to start, manage, and delete user sessions or client sessions under Terminal Server. |
Microsoft Corp. | No |
| csrss.exe | Client/Server Runtime Server Subsystem | The Windows client server run-time subsystem handles Windows and graphics functions for all subsystems. | Microsoft Corp. | No |
| winlogon.exe | Windows Logon Process | The Windows logon utility manages user logons and logoffs. The utility prompts you for the password when you logon and allows you to log off or shut down. | Microsoft Corp. | No |
| services.exe | Windows Service Controller | Application that is used for starting, stopping, and interacting with system services. | Microsoft Corp. | No |
| lsass.exe | Local Security Authority Service | The Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your system. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service. | Microsoft Corp. | No |
| spoolsv.exe | Printer Spooler Service | Windows Printer Spooler, this service stores printer jobs and forwards them to the printer when it is ready. | Microsoft Corp. | No |
| swnetsup.exe | swnetsup | swnetsup.exe, part of the Sophos anti-virus software. | Sophos | No |
| sweepsrv.exe | sweepsrv | sweepsrv.exe, part of the Sophos anti-virus software. | Sophos | No |
| Steve | ||||
| explorer.exe | Program Manager | Windows Program Manager or Windows Explorer, this handles the Windows Graphical Shell (Interface) which including the Start menu, taskbar, desktop, and File Manager. | Microsoft Corp. | No |
| msmsgs.exe | MSN Messenger Traybar Process | Ststem tray bar icon for accessing MSN Messenger that is an online chat and instant messaging client. | Microsoft Corp. | No |
| qttask.exe | Quick Time Tray Icon | System tray bar icon for accessing Apple QuickTime. | Apple Computer, Inc. | No |
| zlclient.exe | Zone Labs Client | Application that is associated with ZoneAlarm personal firewall, which monitors Internet traffic and generates alerts by following the security rules that users configure in Zone Alarm. | Zone Labs Inc. | No |
| psfree.exe | Pop-Up Stopper | Pop-Up Stopper, a program which blocks web browser based pop-ups. | Panicware | No |
| icmon.exe | InterCheck Monitor | InterCheck Monitor, part of the Sophos anti-virus software. | Sophos. | No |
| outlook.exe | Microsoft Outlook | Microsoft Outlook, an email processing program included in Microsoft Office. | Microsoft Corp. | No |
| taskmgr.exe | The Windows Task Manager | An application that displays all the processes running on the system. | Microsoft Corp. | No |
| iexplore.exe | Internet Explorer | Microsoft Internet Explorer used to browse the World Wide Web through HTTP. | Microsoft Corp. | No |
| winword.exe | Microsoft Word | Microsoft Word, a word processing program included in Microsoft Office. | Microsoft Corp. | No |
Most of these processes will be present on your systems, there will also be others which are not included here. You can use software documentation or the Internet to learn about the processes that are running on your system. Below is an example of a process to look out for. This is a particularly hard one to spot because of it's name, it deliberatly uses a name which is similar to a known system process so that a user may be fooled into believing that it is a valid process. | ||||
| iexplorer.exe | iexplorer | Application that is a variant of the RapidBlaster parasite that downloads advertising from the Internet and displays it periodically. | N/A | Yes |
Another trick is to call the process the same as a system process. This will not only fool some users but they will not be able to stop the process through Task Manager as the operating system will think that the process is a system process and necessary. There are tool that you can get that can kill such processes. If you are unsure about a process there are techniques that can be used to determine whether the process really is what it claims to be. You can create baseline MD5 hashes of files and programs so that if you are unsure about one in the future you can make another MD5 hash and see if they are the same. If they are not, the file or application has been modified or is completely different. To learn more about this read the guide to MD5 Hashing. | ||||