Processes in the Windows Task Manager
From Free Knowledge Base- The DUCK Project: information for everyone
Windows XP/2000/2003/Vista/7 Services and Background Processes.
- ARA.exe - [non-critical] Norton Protection Adviser / Acer Protection Adviser is a nag screen used to remind owners of a new PC (typically Windows 7) to purchase Symantec Norton Anti Virus software. This is similar to Adware except without the 'ware'. Unnecessary.
- c:\Program Files\Symantec\Norton Online Backup\ARA.exe
- Communications_Helper.exe - [non-critical] A Logitech QuickCam software component installed with the driver for Webcam devices. Automatically run when system starts. Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). Communications_Helper.exe This is an unnecessary process.
- c:\Program Files\Common Files\LogiShrd\LComMgr
- Ctfmon.exe - [non-critical] A noncritical and sometimes annoying part of Microsoft Office, Office XP, that activates the Microsoft Office Language Bar and the Alternative User Input Text Input Processor. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. The process can sometimes grow to consume over 100M of system memory. This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry. In %System%
- c:\WINDOWS\system32\ctfmon.exe
- jqs.exe - [non-critical] Java Quick Starter (JQS) improves initial startup time for most Java applets and applications. It is new from Java SE 6 update 10 (6u10). It consumes around 1.5 Megabytes of computer memory and 2 Megabytes of virtual memory. It runs low priority and is relatively harmless, although some users report an increase in cpu activity while the system is idle. The process is useless for someone who does not deal that frequently with Java applets. It is a non-system process. Browse to the Java Quick Starter page for instructions on how to disable.
- c:\Program Files\Java\jre6\bin\jqs.exe
- plugin-container.exe - [non-critical] Mozilla has changed the way plugins run with Firefox. They now use out-of-process plugins to the Firefox web browser. This feature runs specific Firefox plugins, like Adobe’s Flash Player, Quicktime or Silverlight, in their own process whenever they are needed to run elements on a web page. Plugin-Container.exe currently supports Adobe Flash, Apple Quicktime, Microsoft Silverlight. Firefox change to provide you uninterrupted browsing even when certain plugins stops working. This is a good process that represents a positive change by the Mozilla Firefox developers.
- RTHDCPL.exe - [non-critical] Realtek HD Audio Control Panel and is bundled alongside Realtek sound cards
- starwindservice.exe - [non-critical] Belongs to Alcohol 120% and provides network drive sharing capabilities to this product. This program is a non-essential process, but should not be terminated unless suspected to be causing problems. This is a valid program but it is not required to run on startup.
- c:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
- sqlwriter.exe - [non-critical] a process associated with Microsoft SQL Server from Microsoft Corporation. Allows backup and restore applications to operate in the Volume Shadow Copy Service (VSS) framework.
- tbhMonitor.exe - [non-critical] The Browser Highlighter Monitor (tbhMonitor.exe) part of a web browser addon that often gets installed without the user permission. The eBay browser highlighter is installed by some eBay application and also by Skype. A rather useless plugin that negatively impacts the performance of Firefox. See also tbhSystray.exe
- c:\Program Files\tbh\monitor\bin\tbhMonitor.exe
- c:\Program Files\tbh\base\bin\tbhSystray.exe
- wmiprvse.exe - [non-critical] [virus risk] Windows Management Instrumentation (WMI) is found on some but not all XP installations. Normally, wmipvrse.exe is a valid windows/system32 file, and with SP1, it stays in the WDEM directory at about 199KB, and has the SP1 distribution date of 8/29/2002. But when you get the virus, you will find another file, of 38KB size in the Windows/Prefetch directory, with the same name, but a more recent date. Deleting that file and rebooting seems to fix the problem, the original MS file seems unharmed.
- wuauclt.exe - [semi-critical] [virus risk] The file wuauclt.exe is located in the folder C:\Windows\System32. Known file sizes on Windows XP are 124,184 bytes (60% of all occurrence). If wuauclt.exe is located in the folder C:\Windows then the security rating is 73% dangerous. File size is 230,518 bytes (40% of all occurrence), 230,520 bytes, 196,608 bytes, 17,039 bytes, 60,519 bytes, 58,656 bytes. wuauclt.exe is not a Windows system file.
Legacy Notes Section
Services which may be in your task monitor on Windows XP (most apply to Win2k also)
Windows Services, 3rd Party Services and Drivers
process description
-------------------------------------------------------------------------------
USER LEVEL PROCESSES:
1XConfig.exe Shuttle and SCM MicroSystems drivers or USB utilities Tray icon
AltiAgent.exe VOiP software propritary
AltDesk.exe virtual desktop manager for Windows 9x/NT/Me/2000/XP
ApntEx.exe Alps Pointing-device touchpad software driver
Apoint.exe Alps Pointing-device touchpad software driver
F-StopW.exe F-Prot anti-virus background scanner
hkcmd.exe Hotkey Command interpretter part of Intel multimedia devices
igfxtray.exe Intel Graphics Tray Icon Graphics Accelerator Helper
jusched.exe Sun Microsystem's Java updater
PRONoMgr.exe System Tray icon for Intel PRO series Ethernet
STACMON.exe SigmaTel Souncard Monitor stacmon for Sigmatel audio devices
TeaTimer.exe Spybot search and destroy realtime monitor
ZCfgSVC.exe Intel ProSET Zero Config MFC Application Windows 2000/XP/2003 Service
SYSTEM LEVEL PROCESSES:
csrss.exe
LSASS.EXE Local Security Authority Service Process
S24EvMon.exe Event Monitor Wireless extensions for network driver
SERVICES.EXE Windows Service Controller for starting and stopping services
smss.exe MS Windows Session Manager Subsystem
SPOOLSV.EXE Microsoft Printer Spooler responsible for managing print jobs
svchost.exe (*A)DLL generic host process
LOCAL SERVICE PROCESSES:
alg.exe Microsoft Windows Internet Connection sharing and firewall
svchost.exe (*A)DLL generic host process
NETWORK SERVICE PROCESSES:
svchost.exe (*A)DLL generic host process
-------------------------------------------------------------------------------
notes:
(*A). Legit svchost.exe will be present in the %Windir%\System32 folder. They
are generic host process name for services that run from dynamic-link
libraries (DLLs). The Svchost.exe file is located in the
%SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part
%of the registry to construct a list of services that it must load. Multiple
%instances of Svchost.exe can run at the same time. Each Svchost.exe session
%can contain a grouping of services. ( MSKB Article ID : 314056 )
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
PROCESS DETAILS for each svchost:
At the command prompt type tasklist /svc /fi "imagename eq svchost.exe" and
press the enter key. You will see a list of the processes on your computer as
well as the services that a SVCHOST.EXE process is managing.
EXAMPLE:
C:\>tasklist /svc /fi "imagename eq svchost.exe"
Image Name PID Services
========================= ====== =============================================
svchost.exe 852 DcomLaunch, TermService
svchost.exe 940 RpcSs
svchost.exe 1032 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, helpsvc, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, Schedule,
seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, Themes, TrkWks,
W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe 1080 Dnscache
svchost.exe 1136 LmHosts, RemoteRegistry, SSDPSRV, WebClient
Key Words: process task tsr background manager processes virus terminate stay resident
