Council Member
Posts: 4,490 
Location: Canada
Location: Canada
July 11th, 2004, 03:16 PM
Quick Reference guide:
List of common Running Processes Win XP legit files
C:\WINDOWS\System32\smss.exe <<< Session Manager Subsystem: starts, manages & deletes user sessions.
C:\WINDOWS\System32\winlogon.exe <<< Windows NT logon utility that manages user logons and logoffs..
C:\WINDOWS\System32\services.exe <<< Used for starting, stopping and interacting with the system services.
C:\WINDOWS\System32\csrss.exe <<< Client/Server Runtime Server Subsystem: handles Windows and graphics functions for all subsystems
C:\WINDOWS\system32\lsass.exe <<< MS Local Security Authentication Server: handles aspects of security administration
C:\WINDOWS\system32\cisvc.exe <<< Windows Content Indexing service
C:\WINDOWS\System32\svchost.exe <<< Generic Host process for services that run from dynamic link libraries(DLL's).
C:\WINDOWS\System32\svchost.exe <<< 2nd Generic Host process used to load services that use DLL's.
C:\WINDOWS\system32\spoolsv.exe <<< manages spooled fax and print jobs
C:\WINDOWS\system32\msdtc.exe <<< MS Distributed Transaction Coordinator manages transactions across multiple servers.
C:\WINDOWS\System32\svchost.exe <<< 3rd Generic Host process used to load services that use DLL's.
C:\WINDOWS\System32\llssrv.exe <<< MS License Logging Service logs the licensing data for NT Servers
C:\WINDOWS\System32\taskmgr.exe <<< Windows Task Manager: displays all running system processes
C:\WINDOWS\System32\rundll32.exe <<< Run a DLL as an App
C:\WINDOWS\Explorer.EXE <<< Windows Program Manager or Windows Explorer- handles the Windows Graphical Shell including the Start menu, taskbar, desktop, and File Manager
C:\WINDOWS\System32\mmc.exe <<< Management Console: displays the management plugin's in Control Panel i.e. Device Manager etc .
C:\WINDOWS\system32\ntvdm.exe <<< NT Virtual DOS Machine, which simulates a 16-bit environment for MS-DOS and 16-bit Windows applications.
C:\WINDOWS\system32\Wowexec.exe <<< system compatibility process hosting 16-bit apps on Win32-based operating systems
C:\WINDOWS\system32\ctfmon.exe <<< handles the Alternative User Input Text Processor & the MS Office Language Bar.
C:\WINDOWS\System32\svchost.exe <<< 4th Generic Host process used to load services that use DLL's.
C:\WINDOWS\system32\wuauclt.exe <<< component of the Windows automatic updater (in ME and XP)
C:\WINDOWS\system32\nddeagnt.exe <<< Network Dynamic Data Exchange Agent
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE <<< Microsoft Internet Explorer web browser
C:\HijackThis\HijackThis.exe
If you have any of the above processes running on your system, be assured that they are safe. You might not have all of them depending on what you are running or you can have a different process that is not listed above.
Quick Reference guide:
List of common Running Processes Win XP legit files
C:\WINDOWS\System32\smss.exe <<< Session Manager Subsystem: starts, manages & deletes user sessions.
C:\WINDOWS\System32\winlogon.exe <<< Windows NT logon utility that manages user logons and logoffs..
C:\WINDOWS\System32\services.exe <<< Used for starting, stopping and interacting with the system services.
C:\WINDOWS\System32\csrss.exe <<< Client/Server Runtime Server Subsystem: handles Windows and graphics functions for all subsystems
C:\WINDOWS\system32\lsass.exe <<< MS Local Security Authentication Server: handles aspects of security administration
C:\WINDOWS\system32\cisvc.exe <<< Windows Content Indexing service
C:\WINDOWS\System32\svchost.exe <<< Generic Host process for services that run from dynamic link libraries(DLL's).
C:\WINDOWS\System32\svchost.exe <<< 2nd Generic Host process used to load services that use DLL's.
C:\WINDOWS\system32\spoolsv.exe <<< manages spooled fax and print jobs
C:\WINDOWS\system32\msdtc.exe <<< MS Distributed Transaction Coordinator manages transactions across multiple servers.
C:\WINDOWS\System32\svchost.exe <<< 3rd Generic Host process used to load services that use DLL's.
C:\WINDOWS\System32\llssrv.exe <<< MS License Logging Service logs the licensing data for NT Servers
C:\WINDOWS\System32\taskmgr.exe <<< Windows Task Manager: displays all running system processes
C:\WINDOWS\System32\rundll32.exe <<< Run a DLL as an App
C:\WINDOWS\Explorer.EXE <<< Windows Program Manager or Windows Explorer- handles the Windows Graphical Shell including the Start menu, taskbar, desktop, and File Manager
C:\WINDOWS\System32\mmc.exe <<< Management Console: displays the management plugin's in Control Panel i.e. Device Manager etc .
C:\WINDOWS\system32\ntvdm.exe <<< NT Virtual DOS Machine, which simulates a 16-bit environment for MS-DOS and 16-bit Windows applications.
C:\WINDOWS\system32\Wowexec.exe <<< system compatibility process hosting 16-bit apps on Win32-based operating systems
C:\WINDOWS\system32\ctfmon.exe <<< handles the Alternative User Input Text Processor & the MS Office Language Bar.
C:\WINDOWS\System32\svchost.exe <<< 4th Generic Host process used to load services that use DLL's.
C:\WINDOWS\system32\wuauclt.exe <<< component of the Windows automatic updater (in ME and XP)
C:\WINDOWS\system32\nddeagnt.exe <<< Network Dynamic Data Exchange Agent
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE <<< Microsoft Internet Explorer web browser
C:\HijackThis\HijackThis.exe
If you have any of the above processes running on your system, be assured that they are safe. You might not have all of them depending on what you are running or you can have a different process that is not listed above.
Member
Posts: 79
Location: Oman
Location: Oman
January 26th, 2006, 08:08 AM
Hi
quote:
be assured that they are safe
Indeed? It might not be possible that I replace a particular file, like mmc.exe,
with my own "trojaned" version? Then, C:\WINDOWS\System32\mmc.exe
is running, and if I look at this list, it's legit? (I have in mind "standard
windows users", which are running, at least for installation purposes,
under administrator privileges).
Unfortunately, I think the issue is not that simple in general. It requires
to digitally sign the applications (MD5 or SHA-1 hashes may, however,
depend on the particular OS and Service Pack) or to calculate the hashes
and store them externally/read-only medium.
Just a thought
Hi
quote:
be assured that they are safe
Indeed? It might not be possible that I replace a particular file, like mmc.exe,
with my own "trojaned" version? Then, C:\WINDOWS\System32\mmc.exe
is running, and if I look at this list, it's legit? (I have in mind "standard
windows users", which are running, at least for installation purposes,
under administrator privileges).
Unfortunately, I think the issue is not that simple in general. It requires
to digitally sign the applications (MD5 or SHA-1 hashes may, however,
depend on the particular OS and Service Pack) or to calculate the hashes
and store them externally/read-only medium.
Just a thought
