In-depth analysis of the two most confusing Windows Processes

Assumer.exe

In the Windows operating system, a process named assumer.exe is started at runtime. This process is mainly responsible for displaying the icons and taskbar on the system desktop. It has different advantages in different systems.

Application of explorer in Windows 9x

In Windows 9x, this process is required to run the system. If the zookeeper er.exe process is used by the zookeeper task, the system refreshes the desktop and updates the registry. Therefore, we can also use this method to quickly update the registry. The method is as follows:

Press CTRL + ALT + DEL to display the "End Task" dialog box. In this dialog box, select the "Explorer" option and click the "End Task" button. The "close windows" dialog box appears. Click "no". The system will display another dialog box later, telling you that the program has no response and asking whether to end the task. Click the End Task button to update the registry and return to the Windows 9x system environment. This is much easier than the cumbersome restart process?

Application of explorer in Windows 2000/XP

In Windows 2000/XP and other Windows ntinner systems, the assumer.exe process is not required when the system is running. Therefore, you can use the task manager to end it without affecting the normal operation of the system. Open the program you want to run, such as Notepad. Then, right-click the task column, select the task manager, select the "progress" tab, select the "cmd.exe process" in the window, and click the "End Process" button. Then, all the icons and taskbar disappear except the wallpaper of the Active Desktop desktop (excluding the wallpaper of the Active Desktop. At this time, you can still operate all the software as usual.

What if you want to run other software, but there is nothing to do on the desktop? Don't worry, there are two ways to cleverly open other software:

Method 1: Press CTRL + ALT + DEL to display the "Windows Security" dialog box. Click the "Task Manager" button (or press Ctrl + Shift + ESC ), in the Task Manager window, select the "application" tab and click "new task". In the displayed "create new task" dialog box, enter the path and name of the software you want to open.

You can also select "File> open" on the running software. In the "open" dialog box, click the "file type" drop-down list and select "all files ", browse the software you want to open, right-click it, and select the "open" command in the shortcut menu to start the software you need. Note: you cannot open the software by clicking the OPEN button. This method is applicable to most software except office series.

Through the zookeeper er.exe process, the memory used by the system can be reduced by about KB, which will undoubtedly speed up the system operation and free up valuable space for users with insufficient resources.

Svchost.exe

Svchost.exe is a very important process of the NT core system and is indispensable for 2000 and XP. Many viruses and Trojans will also call it. Therefore, an in-depth understanding of this program is one of the required courses for playing computer games.

Everyone is familiar with the Windows operating system, but you just need to upload svchost.exe to the system. What about this file? Careful friends will find that there are multiple "svchost" processes in Windows (open the Task Manager through the "CTRL + ALT + DEL" key and you can see it in the "process" tab here ), why? Let's unveil its secret.

In the NT kernel-based Windows operating system family, different versions of Windows systems have different numbers of "svchost" processes. You can use the "Task Manager" to view the number of processes. In general, Win 2000 has two svchost processes, and Win XP has four or more svchost processes (later we can see that there are multiple such processes in the system, do not immediately determine that the system has a virus), but win 2003 Server has more. These svchost processes provide many system services, such as Remote Procedure Call, dmserver Logical Disk Manager, and DHCP client.

To learn how many system services each svchost process provides, enter the "tlist-s" command in the Command Prompt window of Win 2000, this command is provided by Win 2000 support tools. In Win XP, run the "tasklist/svc" command.

Svchost can contain multiple services

The Windows system is divided into two steps: independent process and shared process. The svchost.exe file is stored in the "% SystemRoot % System32" directory and belongs to the shared process. With the increasing number of windows system services, Microsoft has made many services shared to the svchost.exe process to save system resources.

But the svchost process only acts as a service host and cannot implement any service functions. That is, it can only provide conditions for other services to be started here, but it cannot provide any services to users. How are these services implemented?

Originally, these system services were implemented in the form of Dynamic Link Libraries (DLL). They direct executable programs to svchost, and SVCHOST calls the dynamic link libraries of the corresponding services to start the service. So how does svchost know which dynamic link library should be called by a system service? This is achieved through the parameters set by the System Service in the registry.

From the startup parameters, we can see that the service is started by SVCHOST.

Because the svchost process starts various services, viruses and Trojans try their best to use them and try to confuse users by using their features, to infect, intrude, and damage (for example, the shock wave variant virus w32.welchia. worm "). However, in Windows, it is normal to have multiple svchost processes. Which of the infected machines is a virus process? Here is only an example.

Suppose Windows XP is infected with w32.welchia. worm. The normal svchost file exists in the "C: windowssystem32" directory. Be careful if the file appears in other directories. The "w32.welchia. Worm" virus exists in the "C: windowssystem32win s" directory. Therefore, you can use the Process Manager to check the execution file path of the svchost process to easily find whether the system is infected with the virus.

The Job Manager in Windows cannot view the process path. You can use a third-party process management software, such as the "Windows optimization master" Process Manager, using these tools, you can easily view the execution file paths of all the svchost processes. Once the execution path is found to be unusual, you should immediately detect and process it.