A detailed summary of Windows 2000 processes

window| process Many friends ask, what is the process, what is the process, it is not a trojan and so on and so on, the following to introduce the common process.

The most basic system processes (that is, these processes are the basic conditions for system operation, and with these processes, the system will function correctly):
Smss.exe Session Manager
Csrss.exe Subsystem Server process
Winlogon.exe Admin User Login
Services.exe contains many system services
Lsass.exe manages IP Security policies and initiates Isakmp/oakley (IKE) and IP security drivers. (System Services)
Generates a session key and grants service credentials (ticket) for interactive client/server authentication. (System Services)
Svchost.exe contains many system services
Svchost.exe
SPOOLSV. EXE loads the file into memory for later printing. (System Services)
Explorer.exe explorer
Phonetic icon for Internat.exe tray area
Additional system processes (these processes are not necessary and can be increased or reduced as needed through the service manager):
Mstask.exe allows programs to run at specified times. (System Services)
Regsvc.exe allows remote registry operations. (System Services)
Winmgmt.exe provides system management information (System services).
Inetinfo.exe provides FTP connectivity and management through the Internet information Services snap-in. (System Services)
Tlntsvr.exe allows remote users to log on to the system and run the console program using the command line. (System Services)
Allows you to manage Web and FTP services through the snap-in of Internet information services. (System Services)
Tftpd.exe implements the TFTP Internet standard. The standard does not require a user name and password. Part of the Remote Installation service. (System Services)
Termsrv.exe provides a multiple-session environment that allows client devices to access virtual Windows Professional desktop sessions and the base that runs on the server
Programs in Windows. (System Services)
Dns.exe answers query and update requests for Domain Name System (DNS) names. (System Services)
The following services are rarely used, the services above are harmful to security, if not necessary should be turned off
Tcpsvcs.exe provides the ability to remotely install Windows Professional on a PXE-capable, remote boot client computer. (System Services)
The following TCP/IP services are supported: Character generator, daytime, discard, Echo, and Quote of the day. (System Services)
Ismserv.exe allows messages to be sent and received between Windows Advanced Server sites. (System Services)
Ups.exe manages an uninterruptible power supply (UPS) connected to your computer. (System Services)
Wins.exe provides NetBIOS name services for TCP/IP clients that register and resolve NetBIOS names. (System Services)
Llssrv.exe License Logging Service (System service)
Ntfrs.exe to maintain file synchronization of file directory content among multiple servers. (System Services)
RsSub.exe controls the media used to store data remotely. (System Services)
Locator.exe manages the RPC name service database. (System Services)
Lserver.exe Register client licenses. (System Services)
Dfssvc.exe manages logical volumes that are distributed over a LAN or WAN. (System Services)
Clipsrv.exe supports ClipBook Viewer so that you can view the clip pages from a remote ClipBook. (System Services)
Msdtc.exe is a parallel transaction that is distributed over more than two databases, message queues, file systems, or other transaction protection resource managers. (System Services)
Faxsvc.exe helps you send and receive faxes. (System Services)
Cisvc.exe Indexing Service (System service)
Dmadmin.exe System Management Service for disk Management requests. (System Services)
Mnmsrvc.exe allows a privileged user to remotely access the Windows desktop using NetMeeting. (System Services)
Netdde.exe provides network transport and security features for Dynamic Data exchange (DDE). (System Services)
Smlogsvc.exe configures Performance Logs and Alerts. (System Services)
Rsvp.exe provides network signaling and local communication control installation for quality service (QoS)-dependent programs and control applications. (System Services)
RsEng.exe coordinates services and management tools that are used to store infrequently used data. (System Services)
RsFsa.exe the operation of remotely stored files. (System Services)
Grovel.exe scans the duplicate files on the 0 backup storage (SIS) volume and points the duplicate files to a data storage point to save disk space. (System Services)
SCardSvr.exe manages and accesses the smart card inserted into the computer's smart card reader. (System Services)
Snmp.exe contains agents that can monitor the activity of network devices and report to the network console workstation. (System Services)
Snmptrap.exe receives trap messages generated by local or remote SNMP agents, and then passes messages to the SNMP management program running on this computer
。 (System Services)
UtilMan.exe starts and configures the accessibility tool from a single window. (System Services)
Msiexec.exe basis. MSI file to install, fix, and delete the software. (System Services)


Detailed Description:


Win2K Run Process
Svchost.exe
Svchost.exe files are a common host process name for services that run from a dynamic connection library. Svhost.exe file Positioning
In the%systemroot%system32 folder of the system. At startup, Svchost.exe checks the registry for the location to build the required
List of services loaded. This will cause multiple Svchost.exe to run at the same time. Each Svchost.exe's reply period contains a set of services,
That individual services must rely on Svchost.exe how and where to start. This makes it easier to control and find errors.
The Svchost.exe group is identified with the following registry value.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Ntcurrentversionsvchost
Each value under this key represents a separate Svchost group, and when you are looking at the active process, it displays as a separate
Example. Each key value is a value of type REG_MULTI_SZ and includes services that run within the Svchost group. Each Svchost group contains a
or multiple service names selected from the registry value, the service's parameter value contains a ServiceDll value.
Hkey_local_machinesystemcurrentcontrolsetservicesservice

For more information
In order to see the services that are running in the Svchost list.
Start-run-typing cmd
And then typing tlist-s (tlist should be in the Win2K Toolbox in winter)
Tlist displays a list of active processes. The switch-s displays the list of active services in each process. If you want to know more about
Process information, you can knock tlist pid.

Tlist shows two examples of Svchost.exe running.
0 System Process
8 System
132 Smss.exe
160 Csrss.exe Title:
180 Winlogon.exe Title:netdde Agent
208services.exe
Svcs:appmgmt,browser,dhcp,dmserver,dnscache,eventlog,lanmanserver,lanmanworkstation,lmhosts,messenger,plugplay , PROTECTEDSTORAGE,SECLOGON,TRKWKS,W32TIME,WMI
Lsass.exe SVCS:NETLOGON,POLICYAGENT,SAMSS
404 Svchost.exe svcs:rpcss
452 Spoolsv.exe Svcs:spooler
544 Cisvc.exe svcs:cisvc
556 Svchost.exe Svcs:eventsystem,netman,ntmssvc,rasman,sens,tapisrv
580 Regsvc.exe Svcs:remoteregistry
596 Mstask.exe Svcs:schedule
660 Snmp.exe Svcs:snmp
728 Winmgmt.exe SVCS:WINMGMT
852 Cidaemon.exe Title:olemainthreadwndname
812 Explorer.exe Title:program Manager
1032 OSA. EXE Title:reminder
1300 Cmd.exe Title:d:winnt5system32cmd.exe-tlist-s
1080 MAPISP32. EXE title:wms Idle
1264 rundll32.exe Title:
1000 mmc.exe Title:device Manager
1144 Tlist.exe
In this example, the registry sets two groups.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Ntcurrentversionsvchost:
Netsvcs:Reg_Multi_SZ:EventSystem Ias Iprip irmon Netman nwsapagent rasauto rasman remoteaccess SENS sharedaccess Ntmssvc
Rpcss:Reg_Multi_SZ:RpcSs

Smss.exe

Csrss.exe

This is part of the user mode Win32 subsystem. CSRSS represents a client/server running subsystem and is a basic subsystem
Must be running all the time. CSRSS is responsible for controlling windows, creating or deleting threads and some 16-bit virtual MS-DOS environments.

Explorer.exe
This is a user's shell (I really don't know how to translate the shell), as we look like the taskbar, the desktop and so on. This one
The process is not running as an important process in windows as you might think, you can either stop it from the task Manager or reboot.
Usually does not have any negative impact on the system.

Internat.exe

This process can be turned off from the task manager.
The Internat.exe begins to run when it starts. It loads the different input points specified by the user. The input point is from this location in the registry
HKEY_USERS. Defaultkeyboard layoutpreload loading content.
Internat.exe loads the "EN" icon into the system's icon area, allowing the user to easily convert different input points.
When the process stops, the icon disappears, but the input points can still be changed through the control Panel.

Lsass.exe
This process is not allowed to be turned off from the task manager.
This is a local security authorization service, and it generates a process for authorized users who use the Winlogon service. This process is
Executed by using a licensed package, such as the default Msgina.dll. If the authorization is successful, LSASS will create the user's entry
Token, the token does not use the start shell. Other processes that are initialized by the user will inherit the token.

Mstask.exe
This process is not allowed to be turned off from the task manager.
This is a task scheduling service that is responsible for the execution of tasks that a user decides to run at a certain time in advance.

Smss.exe
This process is not allowed to be turned off from the task manager.
This is a session management subsystem that is responsible for initiating user sessions. This process is initialized through the system process and for many activities,
Includes Winlogon,win32 (Csrss.exe) threads that are already running and a set of system variables to reflect. Before it starts these
After the process, it waits for Winlogon or csrss to end. If these processes are normal, the system is switched off. If anything happens,
Unpredictable things, Smss.exe will let the system stop responding (that is, hang).

Spoolsv.exe
This process is not allowed to be turned off from the task manager.
The buffering (spooler) service is the management of print and fax jobs in the buffer pool.

Service.exe
This process is not allowed to be turned off from the task manager.
Most system core-mode processes are running as system processes.

System Idle Process
This process is not allowed to be turned off from the task manager.
This process is run on each processor as a single thread and when the processor is dispatched when the system does not process other threads.


Winlogon.exe
This process is to manage user login and launch. And Winlogon is activated when the user presses the Ctrl+alt+del and displays the Security dialog box.

Winmgmt.exe
WinMgmt is the core component of Win2000 Client management. This process is initialized when the client application connects or when the management program needs his own service.

Taskmagr.exe
This process, haha, is the task Manager

If there is anything out of the place, I also hope to correct you.


Win2k_as Safe Mode Start service
C:winntsystem32wbemwinmgmt.exe Windows Management Instrumentation provides system management information.
C:winntsystem32svchost-k RPCSS Remote Procedure Call (RPC) provides endpoint mapper (endpoint mapper) and other RPC services.
C:winntsystem32services.exe Plug and Play manages device installation and configuration and notifies the program about device changes.
C:winntsystem32services.exe Logical Disk Manager Logical Disk Manager Monitor Dog services
C:winntsystem32services.exe Event log logs the program and the events messages that Windows sends. The event log contains information that is useful for diagnosing problems. You can view the report in Event Viewer.

This state? #挥蠾inMgmt. exe Svchost.exe services.exe three processes appear.