Parsing Windows XP operating system processes (1)

A process can be understood as an active computer program that executes specific tasks in the operating system. This article takes Windows XP as an example to introduce the process of Windows.

I. Suspicious processes found

System processes generally include basic system processes and additional processes. Basic System processes are essential for system operation. The system can run normally only when these processes are active. Additional processes are not required. You can create or end them as needed. Let's take a look at which are the most basic system processes.

1. Basic System Process

Csrss.exe: A subsystem server process that controls the Creation or Deletion of threads in Windows and the 16-bit Virtual DOS environment.
System Idle Process: This Process runs on each processor as a single thread and distributes the Time of the processor when the System does not Process other threads.
Smss.exe: A session management subsystem that starts user sessions.
Services.exe: a management tool for system services.
Lsass.exe: Local Security Authorization Service.
Assumer.exe: Resource Manager.
Spoolsv.exe: Manage print and fax jobs in the buffer zone.
Svchost.exe. If multiple DLL files are running simultaneously, multiple groups of services are active.

As for some other additional processes, most of them are system services, and the operation can be terminated as appropriate. Because of its large quantity, we cannot list them one by one here.

When system resources are insufficient, we can end some additional processes to increase resources and optimize the system. After the basic system and additional processes are excluded, new processes are worth your doubt.

2. Common Trojan processes

Girl from other countries: diagpolic.exe process.
WAY: Msgsvc.exe process.
Ice Horse: Kernel32.exe process.
BO2000 Trojan: Umgr32.exe process.

Objectively speaking, many mainstream Trojans have custom process names when configuring servers, such as Pink Pigeon. Therefore, when determining a Trojan, there are more than one type of process name. It is not applicable to finding the method of the Trojan server by process name. Therefore, we need to make our own judgment to find out the "evil horse" in the process ".

3. analyze Suspicious processes on your own

Software name: Liu Ye wiping eye
Software Version: V4.00 Beta 1
Software size: 374KB
Software language: Simplified Chinese
Application Platform: Win9X/NT/2000/XP
: Http://tj-http.skycn. net8181/down/eye400fb.zip

After running the "Liu Ye shile eye", double-click the program icon in the system tray to see Figure 1 ). We will note that the program has marked the system file for you. Therefore, you only need to pay attention to the processes whose "definition level" is "unknown" and "dangerous", which greatly reduces our judgment scope. When you find a problematic process, select it and click the "Drop Demon Magic" button to block it.

Figure 1

In order to make the program more familiar with our usage habits, you can customize the settings. Click "parameter settings" in the left-side view. On the right-side interface, you can set whether to mark system files, normal files, and dangerous files; Whether all programs can run; and whether to automatically close dangerous files; you can also set the detection refresh time figure 2 ).

Figure 2

We can see that the definition level and Function Description of the program preset are displayed in the "definition file list. You can add your own definitions based on the running status of your machine. For example, programs such as Virtual PC Virtual machines are frequently used on weekdays. You can set them to "normal Files ". 3) in the "add file definition" dialog box, enter the "program name" and "function description" and define the level. You can also add Known Trojan processes as "dangerous files ". Finally, click "OK and Save settings. After this customization, it is clear which processes have problems.

Figure 3

The operations we perform in the program will be automatically recorded. You can view Figure 4 in "Willow Leaf log ).

Figure 4