Judging the Explorer.exe process is true or false

1. What is the Explorer.exe process

Open the Task Manager of the computer, you can see this process, occupy little memory, about 10MB. After the process is finished, several open windows are closed, and the icons on the desktop are all gone.

The reason for this situation is that Explorer.exe is playing a role. Simply put, the Explorer.exe process is the operating system's program manager, which is what we normally call the resource manager, the graphical interface for managing the home of the operating system, including the Start menu, taskbar, desktop, and file management. The process is started with the system until the system shuts down or the process is terminated artificially. You can restore the desktop to normal by doing the following: In Task Manager, click the file-New task (run) menu. Enter the "Explorer.exe" process list in an open window and click OK to complete the rebuild process, and the desktop environment is restored.

2.explorer.exe is easy to impersonate.

First of all, the virus will still use camouflage to disrupt everyone, the normal process name is Explorer.exe, and some virus process name is ExpIorer.exe (with the number I replaced the letter L), and some virus process named ExplOrer.exe (with the number 0 instead O), at first glance, It is impossible to distinguish between them. The famous Mydoom virus is destroyed by Explorer.exe.

Small knowledge Mydoom is a virus that spreads through email attachments and peer-to-peer networks, and when a user opens and runs the virus program in the attachment, the virus will target the e-mail address in the user's mailbox, mimic the source address of the message, and send out a large number of e-mail messages with virus attachments. The Explorer.exe process is also generated on the user host.

For this kind of situation, in addition to our attention to the process name, there are other methods of process detection and prevention? We can judge by the path of the Explorer.exe process that the normal Explorer.exe process is located under the system root (for example, the system disk is C disk, the path is C: WindowsExplorer.exe), here we can use some process assistance software to view, such as "360" and so can see the process of software, look at the process path.

In addition, there is a "shell= filename" under [BOOT] in the system's System.ini file (C:windowssystem.ini). The correct filename should be "Explorer.exe" if not "Explorer.exe" but "Shell=Explorer.exe program name", then the following program is "Trojan" program, which indicates that you have been in the "Trojan Horse."

In addition, the situation in the registry is more complex, open Registry Editor through the Regedit command, and then open the Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun directory, Check the key values are not familiar with their own automatic startup files, extension of EXE, note that some "Trojan" program generated by the file is very similar to the system itself, figured out for camouflage, such as "Acid Battery v1.0 Trojan", it will be the registry "Hkey_local_ Machinesoftwaremicrosoftwindowscurrentversionrun "The Explorer key value is changed to Explorer=" C:windowsexpiorer.exe ", and Ghost XP program is one letter bad. This requires a high level of vigilance.

In addition to being disguised as a Explorer.exe process by file name, the virus exploits this process mainly through thread insertion techniques. For example, once the broad external spectre, the Magic Wave virus variant is also the use of the system download process. Threading technology allows these Trojans to insert their server-side programs into the normal Explorer.exe process, allowing users to find no clues to the virus. For this type of thread-inserted Trojan virus, we can use the "Trojan Helper finder" To view, in the "Process monitoring" option, Check the Explorer.exe process, in the following DLL file window will display the corresponding DLL file path and file name, found suspicious of the latest XP system download files, then directly terminate the corresponding process. Of course, this requires that we have a basic understanding of the common Trojan, otherwise it is more difficult to operate.