Can anyone tell me what the process is in the system resource manager?

Detailed introduction to Windows operating system processes - -

Tag: System process

(1) [system Idle Process]

Process file : [system process] or [system process]

Process name: Windows memory processing system process

Description: Windows page memory management process, with level 0 priority.

Introduction: This process runs as a single thread on each processor and allocates processor time when the system is not processing other threads. The larger the CPU usage, the more CPU resources are available for allocation, and the smaller the number, the tighter the CPU resources.

(2)[alg.exe]

Process file: alg or alg.exe

Process name: Application layer gateway service

Description: This is an application layer gateway service for network sharing.

Introduction: A gateway communication plug-in manager that provides support for third-party protocol plug-ins for "Internet Connection Premium Service" and "Internet Connection Firewall Service".

(3)[csrss.exe]

Process file: csrss or csrss.exe

Process name: Client/Server Runtime Server Subsystem

Description: Client service subsystem, used to control Windows graphics-related subsystems.

Introduction: This is part of the user-mode Win32 subsystem. csrss represents the client/server operating subsystem and is a basic subsystem that must be running at all times. csrss is used to maintain control of Windows, create or delete threads and some 16-bit virtual MS-DOS environments.

(4)[ddhelp.exe]

Process file: ddhelp or ddhelp.exe

Process name: DirectDraw Helper

Description : DirectDraw Helper is an integral part of DirectX, a graphics service.

Introduction: Directx Helper

(5)[dllhost.exe]

Process file: dllhost or dllhost.exe

Process Name: DCOM DLL Host process

Description: DCOM DLL Host process supports DLL based on COM objects to run Windows programs.

Introduction: com proxy, the more dll components attached to the system, the more cpu and memory resources dllhost takes up. The "Shock Wave Killer" in August probably made everyone more familiar with it.

(6)[explorer.exe]

Process file: explorer or explorer.exe

Process name: Program Management

Description : Windows Program Manager or Windows Explorer is used to control the Windows graphical shell, including the start menu, taskbar, desktop and file management.

Introduction: This is a user's shell, which looks like a task bar, desktop, etc. to us. In other words, it is the resource manager. I don’t believe you can run it and have a look.

It is still relatively important to the stability of the Windows system, and the red code is to cause trouble for it. Create explorer.exe under the c and d roots.

(7)[inetinfo.exe]

Process file: inetinfo or inetinfo.exe

Process name: IIS Admin Service Helper

Description: InetInfo is part of Microsoft Internet Infomation Services (IIS) and is used for debugging.

Introduction: IIS service process, blue code exploits the buffer overflow vulnerability of inetinfo.exe.

（8）[internat.exe]

Process file: internat or internat.exe

Process name: Input Locales

Description : This input control icon is used to change settings like country, keyboard type, and date format. internat.exe starts running at startup. It loads different input points specified by the user. The input point loads content from the registry location HKEY_USERS\.DEFAULT\Keyboard Layout\Preload. internat.exe loads the "EN" icon into the system's icon area, allowing the user to easily switch between different input points. When the process is stopped, the icon disappears, but the input point can still be changed through the control panel.

Introduction: It is mainly used to control the input method. When your taskbar does not have the "EN" icon and the system has the internat.exe process, you may wish to end the process and execute the internat command in the runtime. That’s it.

(9)[kernel32.dll]

Process file: kernel32 or kernel32.dll

Process name: Windows shell process

Description: Windows shell process is used to manage multi-threading, memory and resources.

Introduction: More illegal browsing operations and Kernel32 interpretation

(10) [lsass.exe]

Process file: lsass or lsass.exe

p>

Process name: Local Security Permissions Service

Description: This local security permissions service controls the Windows security mechanism. Manage IP security policies and enable ISAKMP/Oakley (IKE) and IP security drivers, etc.

Introduction: This is a local security authorization service, and it will generate a process for authorized users using the winlogon service. This process is performed using authorized packages, such as the default msgina.dll. If authorization is successful, lsass will generate the user's access token, which is not used to start the initial shell. Other processes initiated by the user will inherit this token. The Windows Active Directory remote stack overflow vulnerability uses the LDAP 3 search request function to lack correct buffer boundary checks on user-submitted requests, constructs more than 1,000 "AND" requests, and sends them to the server, causing a stack overflow to be triggered and Lsass The .exe service crashed and the system restarted within 30 seconds.

(11)[mdm.exe]

Process file: mdm or mdm.exe

Process name: Machine Debug Manager

Description: Debug debug management for debugging applications and the Microsoft Script Editor in Microsoft Office.

Introduction: The main job of Mdm.exe is to debug application software. Speaking of which, let me digress. If you see 0-byte files starting with fff in the system, they are mdm.exe generates some temporary files during the troubleshooting process. These files are not automatically cleared when the operating system is shut down. Therefore, among these strange files starting with fff are some files with the suffix CHK, which are useless junk files. , Can Yunwo Mojing? Change to Xiuyun low nest? Huanjia Baxi 6? You can use the following method to stop the system from running Mdm.exe to completely delete strange files starting with fff: First press the "Ctrl Alt Del" key combination, select "Mdm" in the pop-up "Close Program" window, and press "End Task" ” button to stop Mdm.exe from running in the background, and then rename Mdm.exe (in the C:\Windows\System directory) to Mdm.bak. Run the msconfig program and cancel the selection of "Machine Debug Manager" on the startup page. This will prevent Mdm.exe from starting automatically, then click the "OK" button to end the msconfig program and restart the computer. In addition, if you use IE 5.

(12)[mmtask.tsk]

Process file: mmtask or mmtask.tsk

Process name: Multimedia support process

Description: This Windows multimedia daemon controls multimedia services such as MIDI.

Introduction: This is a task scheduling service that is responsible for running tasks that the user decides to run at a certain time in advance.

（13）[mprexe.exe]

Process file: mprexe or mprexe.exe

Process name: Windows routing process

Description: The Windows routing process involves issuing network requests to the appropriate portion of the network.

Introduction: This is the 32-bit network interface service process file of Windows, the core of the network client component startup. In my impression, "A-311 Trojan (Trojan.A-311.104)" will also create the mprexe.exe process in the memory, and the process can be ended through resource management.

（14）[msgsrv32.exe]

Process file: msgsrv32 or msgsrv32.exe

Process name: Windows Messenger Service

Description: The Windows Messenger service calls Windows Driver and Program Manager at startup.

Introduction: msgsrv32.exe is an application that manages information windows. If the sound card or graphics card driver is not configured correctly under win9x, it will cause a crash or prompt msgsrv32.exe error.

（15）[mstask.exe]

Process file: mstask or mstask.exe

Process name: Windows Scheduled Task

Description: Windows scheduled tasks are used to set the time or date at which inheritance will be backed up or run.

Introduction: Scheduled task, which starts automatically through the registry. Therefore, the file name of a program that is self-started through scheduled tasks cannot be seen in the system information. Once it is deleted or disabled from the registry, all programs started through scheduled tasks will not be able to run automatically. The scheduled task will be started when the system starts under win9X. You can stop it from starting by double-clicking the scheduled task icon - Advanced - Terminate the scheduled task. In addition, attackers often use planned tasks during the attack process, including uploading files, elevating privileges, planting backdoors, cleaning footprints, etc.

（16）[regsvc.exe]

Process file: regsvc or regsvc.exe

Process name: Remote registry service

Description: The Remote Registry service is used to access the registry on a remote computer.

（17）[rpcss.exe]

Process file: rpcss or rpcss.exe

Process name: RPC Portmapper

Description : The Windows RPC port mapping process handles RPC calls (remote module calls) and maps them to designated service providers.

Introduction: 98 is not started when loading the interpreter or booting. If there are problems during use, you can directly run it in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesAdd "String Value" and direct it to "C:\WINDOWS\SYSTEM\RPCSS".

（18）[services.exe]

Process file: services or services.exe

Process name: Windows Service Controller

Description: Manage Windows services.

Introduction: Most system core mode processes run as system processes. Open the service in the management tool, and you can see that many services are calling systemroot\system32\service.exe

(19) [smss.exe]

Process file: smss or smss.exe

Process name: Session Manager Subsystem

Description: This process is used to initialize system variables for the session management subsystem. MS-DOS driver names are similar to LPT1 and COM. Call Win32 shell subsystem and run the Windows login process.

Introduction: This is a session management subsystem responsible for starting user sessions. This process is initialized by the system process and reflects many activities, including already running Winlogon, Win32 (Csrss.exe) threads and set system variables. After it starts these processes, it waits for Winlogon or Csrss to finish. If these processes are normal, the system is shut down.

If something unexpected happens, smss.exe will cause the system to stop responding (that is, hang).

（20）[snmp.exe]

Process file: snmp or snmp.exe

Process name: Microsoft SNMP Agent

Description: Windows Simple Network Protocol Proxy (SNMP) is used to listen and send requests to the appropriate part of the network.

Introduction: Responsible for receiving SNMP request messages, sending response messages as required and processing the interface with WinsockAPI.

（21）[spool32.exe]

Process file: spool32 or spool32.exe

Process name: Printer Spooler

Description : Windows print task control program for printer readiness.

（22）[spoolsv.exe]

Process file: spoolsv or spoolsv.exe

Process name: Printer Spooler Service

Description: Windows print task control program for printer readiness.

Introduction: The spooler service manages print and fax jobs in the buffer pool.

（23）[stisvc.exe]

Process file: stisvc or stisvc.exe

Process name: Still Image Service

Description: Still Image Service is used to control scanners and digital cameras connected in Windows.

（24）[svchost.exe]

Process file: svchost or svchost.exe

Process name: Service Host Process

Description: Service Host Process is a standard dynamic link library host processing service.

Introduction: The Svchost.exe file is a common host process name for services running from the dynamic link library. The Svhost.exe file is located in the systemroot\system32 folder of the system. At startup, Svchost.exe checks the registry for locations to build a list of services that need to be loaded. This will cause multiple Svchost.exe to run at the same time. Each session of Svchost.exe contains a set of services, so that individual services must depend on how and where Svchost.exe is started. This makes it easier to control and find errors. Windows 2k generally has two svchost processes, one is the RPCSS (Remote Procedure Call) service process, and the other is svchost.exe shared by many services. In Windows XP, there are generally more than 4 svchost.exe service processes, and there are more in Windows 2003 server.

（25）[taskmon.exe]

Process file: taskmon or taskmon.exe

Process name: Windows Task Optimizer

Description: Windows Task Optimizer monitors how often you use a program and organizes and optimizes your hard drive by loading those frequently used programs.

Introduction: Task Manager, its function is to monitor the execution of programs and report at any time. It can monitor all programs running in window mode on the taskbar, open and end programs, and directly bring up the system shutdown dialog box.

（26）[tcpsvcs.exe]

Process file: tcpsvcs or tcpsvcs.exe

Process name: TCP/IP Services

Description: TCP/IP Services Application supports connecting to LAN and Internet through TCP/IP.

（27）[winlogon.exe]

Process file: winlogon or winlogon.exe

Process name: Windows Logon Process

Description: Windows NT user login program. This process manages user login and logout. Moreover, winlogon is activated when the user presses CTRL ALT DEL and displays the security dialog box.

（28）[winmgmt.exe]

Process file: winmgmt or winmgmt.exe

Process name: Windows Management Service

Description: Windows Management Service handles requests from application clients through Windows Management Instrumentation data (WMI) technology.

Introduction: winmgmt is the core component of win2000 client management. This process is initialized when a client application connects or when the hypervisor requires its own services. WinMgmt.exe (CIM Object Manager) and Knowledge Base (Repository) are the two main components of WMI. The Knowledge Base is a database of object definitions. It is the central database that stores all manageable static data. The Object Manager is responsible for processing knowledge. Collection and manipulation of objects in the library and gathering information from WMI providers. WinMgmt.exe runs as a service on Windows 2k/NT and as a standalone exe program on Windows 95/98. WMI errors that occur on some computers in Windows 2k systems can be corrected by installing Windows 2k SP2.

（29）[system]

Process file: system or system

Process name: Windows System Process

Description: Microsoft Windows System processes.

Introduction: You will see this process in the task manager, which is a normal system process.

The system process is introduced here.

In Windows2k/XP, the following processes must be loaded:

smss.exe, csrss.exe, winlogon.exe, services.exe, lsass.exe, svchost.exe (Multiple can exist at the same time), spoolsv.exe, explorer.exe, System Idle Process;

In Windows 9x, the following processes must be loaded:

msgsrv32.exe, mprexe.exe, mmtask.tsk, kenrel32.dll.