Resolving csrss.exeand winlogon.exe Problems

Today, a friend called me and said that its website access speed is very slow. It is really slow to open his site. I checked the website response time at the webmaster's house. Good guy, the speed is nearly 1 s, and the speed is about 4 s. First, I suspected my friend's website was poisoned. I asked for the login username, password, and ip address, and logged on to my friend's vps. The operating system was win2003, And the iis version was 6. 0. I used anti-virus software to scan and kill the entire system and found no trojan files. I used the cms background to find viruses and no abnormal files. I opened the resource manager of the operating system, and the cpu usage was high, sometimes it can reach 100%. can the response time of such a cpu be faster. Then I carefully read that two processes in resource management occupy a high cpu: csrss.exeand winlogon.exe. The cpu usage of these two processes is so high that someone is cracking my friend's server. In this case, change the vps port 3389 of my friend.

The specific operation is to enter regedit in the operation to enter the SYSTEM registry. Find a PortNumber under HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp, modify the value of the port you want to modify, such as 6666 Note: This is free, as long as it does not conflict with the existing port of the system). Note that the base must be in decimal format. In addition, you must modify the PortNumber value under HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp, the modified port must be the same as the modified port. Next, close the registry. At the same time, I disabled the windows Firewall on vps because I had installed another firewall for my friends. Note that the webmaster who has enabled windows Firewall must click Settings in the Advanced tab of local connection/properties, and click Add port in the pop-up windows firewall. The name is random, the port number must be consistent with the port number modified in the Registry above. For details, see:

Now, the port has been modified. In order to make your friend's machine more secure, I have modified the default Administrator name. The specific path is on my computer. Right-click "manage" and select "user" in the local user and group under "Computer Management". In the window on the right, rename the default administrator.

Now, the modification of the port takes effect only after the computer is restarted, and the modification of the Administrator name takes effect after cancellation. Therefore, to make the port modification take effect, it takes only one or two minutes for your website to be disconnected. After the restart, execute Remote Desktop Connection on the local computer. The IP address entered after computer (C) must be the same as the port number, for example, 220.220.220.5: 6666. Otherwise, you cannot log on to the local computer. When you try again in the resource manager, the cpu has obviously been reduced, generally no more than 20%. Now, the problem is solved. In the next two days, I was not at ease. I specially asked my friend, but I was told that the access was quite normal and there was no slow access.