The subject of this post is to examine the processes in the process tab in the windows task manager in Microsoft windows (Windows workstation family and windows server family). There are many processes, and as a result, we will discuss the most common ones.
The Processes tab (in windows task manager window) shows a list of all running processes on the system. These processes fall into three general categories
- Apps: Programs with a main window
- Windows processes: Components of Windows itself that do not have a main windows, including services
- Background process: Programs that do not have a main window, including services, and are not part of the Windows itself
This tab shows the name of every main window and every service associated with each process.
System Processes
All the processes you will see in this section belong to Microsoft Windows.
Alg.exe
Process name: Application Layer Gateway Service
File location: C:\windows\System32 folder (typically takes about 44544 bytes of storage capacity)
This process is used for Internet connection sharing (ICS) and firewall. If you end this program using the Task Manager, you will lose all Internet connectivity until your next system restart or login.
Audiodg.exe
Process name: Windows Audio Device Graph Isolation
File location: C:\Windows\System32
This process is the audio component for Windows Vista/7/8/10. This process prevents other software applications from modifying or changing and content or plug-in enhancements.
Csrss.exe
Process name: Client Server Runtime Process
File location: C:\Windows\System32
The csrss.exe process is an important part of the Windows operating system. This file is responsible for console windows and the shutdown process, which are critical functions in Windows. The csrss also responsible for creating and/or deleting threads and implementing some portions of the 16-bit virtual MS-DOS environment.
Ctfmon.exe
Process name: Alternative User Input Text Input Processor for Office
File location: C:\Windows\System32
Ctfmon.exe controls Alternative User Input and the Office Language bar. It monitors active windows and provides text input service support for speech recognition, handwriting recognition, keyboard translation, and other alternate user input forms. In fact, this file is how you can control the computer via speech or a pen tablet, or using the onscreen keyboard inputs for asian languages.
Desktop.ini
Process name: Windows customizing folders file
File location: Any folder, anywhere on computer,
Desktop.ini is a hidden/system file that determines the way a folder is displayed by Windows. You can customize folder background, change icon and create infotip by creating a Desktop.ini file for that folder. These files can be found in any folder, anywhere on computer, and they contain information and settings pertaining to that folder. Desktop.ini can be deleted, but any view customizations related to the folder containing the file in question, will be reset to the system-wide default.
Dllhost.exe
Process name: DCOM DLL host process
File location: C:\Windows\System32
Dllhost.exe is a host for DLL files and binary executables. The COM+ hosting process controls processes in Internet Information Services (IIS) and is used by many programs. There can be multiple instances of the DLLhost.exe process running. Dllhost.exe is typically safe as long as the computer is up to date on all security patches and a reliable antivirus is installed.
Dwm.exe
Process name: Microsoft Desktop Window Manager
File location: C:\Windows\System32
Dwm.exe is a compositing window manager that renders all those pretty effects in Windows: transparent windows, live taskbar thumbnails, and even high resolution monitor support. In other words, dwm responsible for the graphical effects such as live window previews and a glass-like frame around windows (Aero Glass or Windows Aero), without draining CPU.
Explorer.exe
Process name: Windows Explorer
File location: C:\Windows
This is the user shell, which we see as the familiar taskbar, desktop, file manager and other user interface features. Explorer.exe is a Windows process that is run automatically at startup and remains an active process.
This Graphical Shell component is responsible for displaying a user-friendly interface that allows access, copy, delete, cut, and perform other actions with files located on the system, as well as connected networks.
Hiberfil.sys
Process name: Windows hibernation file
File location: The root folder of the drive where the operating system is installed.
Hiberfil.sys is a hidden file the system creates when the computer goes into hibernation mode. Hibernate mode uses the hiberfil.sys file to store the current state (memory) of the PC on the hard drive and the file is used when Windows is turned back on. Since hiberfil.sys stores all the data on the PC for hibernate mode, the file could end up becoming several gigabytes in size depending on your use of the hibernate feature. As a result, you may end up having storage issues.
How do I delete hiberfil.sys file?
Internat.exe
Process name: loads the different input locales
File location: C:\Windows\System32
Internat.exe runs at startup; it loads the different input locales that are specified by the user.
This process loads the “EN” icon into the system tray, allowing the user to easily switch between locales. This icon disappears when the process is stopped, but the locales can still be changed through the Control Panel. Internat.exe is not essential for Windows and will often cause problems. This service doesn’t exists in Windows Vista/7/8/10! In this case “internat.exe” could be a virus or Trojan.
Kernel32.dll
Process name: Win32 Kernel core component
File location: C:\Windows\System32
The Kernel32.dll file is a 32-bit dynamic link library file used in Windows 95, 98 and Me. The Kernel32.dll file handles memory management, input/output operations and interrupts.
LogonUI.exe
Process name: Windows Logon User Interface
File location: c:\windows\system32
Logonui.exe is a legitimate file that is used for facilitating user login into a PC. LogonUI.exe implements the graphical user interface shown when a user is asked to log in to the local machine.
Lsass.exe
Process name: Local security authentication server
File location: C:\Windows\System32
Lsass.exe is the Local Security Authority Subsystem Service. It has the file description LSA shell. This file verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. So, Lsass.exe is a crucial component of Microsoft Windows security policies, authority domain authentication, and Active Directory management on computer.
Lsm.exe
Process name: Local Session Manager Service
File location: C:\Windows\System32
LSM is the Local Session Manager Service in Microsoft Windows. The purpose of the genuine lsm.exe process is to manage all connections related to a server. Lsm.exe is considered a section of core Windows functionality. This key process is issued by default on Windows 7, Windows 8 and Windows 10.
Mdm.exe
Process name: Machine Debug Manager
File location: C:\windows\system32
Mdm.exe is legitimate file and the Machine Debug Manager, which is used by the Windows NT Option Pack and Microsoft Developer Studio to provide application debugging.
Mobsync.exe
Process name: Microsoft Synchronization Manager
C:\Windows\System32
Mobsync.exe file is a mobile synchronization component of the Internet Explorer web browser. It synchronize offline web pages, and edited offline documents, calendars, and email messages. When a Windows Phone is plugged into your PC. It primarily syncs data back and forth between your PC and mobile device. It has the ability to run as a background process and store offline data for Internet Explorer.
Msmsgs.exe
Process name: Windows Messenger
File location: C:\Program Files\Messenger
Windows Messenger from Microsoft provides online chat and instant messaging capabilities. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable this file and process.
Mssearch.exe
Process name: Windows Search Engine
File location: C:\Windows\System32
Mssearch.exe is a process relating to Microsoft Windows Server suite. There is also a file named mssearch.exe that is related to Microsoft SQL Server (Microsoft Search for full text indexing). This program is important for the stable and secure running of your computer and should not be terminated.
Mstask.exe
Process name: Task Scheduler Engine
File location: C:\Windows\System32
This is the task scheduler service, responsible for running tasks at a time predetermined by the user. This mstask.exe program would have arrived as preinstalled software on your computer. You can use it to start services at particular times, such as running a backup overnight. This service doesn’t exists in Windows Vista/7/8/10 so in this case “mstask.exe” could be a virus or Trojan.
Pagefile.sys
Process name: Windows paging file
File location: At the root of any drive that uses the drive space in pagefile.
This file is actually a detailed topic, that is, the discussion of disk pagination. Pagefile.sys is a windows system files, acts as swap file and was designed to improve performance. Windows uses it as RAM in case the application you’re running on your computer ends up needing more RAM than you actually have. Pagefile.sys is a hidden file. Microsoft strongly recommends that you do not disable or delete the paging file.
In this regard, we recommend that you read this article.
PenService.exe
Process name: Pen Service
File location: C:\Windows\System32
PenService.exe is penservice.exe is part of the WISPTIS.
Regsvc.exe
Process name: Remote Registry Service
File location: C:\Windows\System32
Regsvc.exe allows remote registry manipulation, and is used by certain utilities. This service doesn’t exists in Windows Vista/7/8/10 so in this case “regsvc.exe” could be a virus or Trojan.
Rundll32.exe
Process name: Run a DLL as an App
File location: C:\Windows\System32
This program is part of Windows, and is used to run program code in DLL files as if they were within the actual program. Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files. This file is also commonly used by spyware to launch its own malicious code.
Sdclt.exe
Process name: Windows Backup
File location: C:\Windows\System32
This process is the process for the windows backup tool and it is also known as Microsoft® Windows Backup. This file is a Windows system file. This process does not appear as a visible window, but only in Task Manager.
Services.exe
Process name: Services and Controller app
File location: C:\Windows\System32
This is the Services Control Manager, which is responsible for running, ending, and interacting with system services. Use this program to start services, stop them, or change their default from automatic to manual startup. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program should not be terminated because it is a system process that is needed for your PC to work properly.
Slsvc.exe
Process name: Microsoft software licensing service
File location: C:\Windows\System32
Slsvc.exe is a legitimate process that implements the Software Licensing Service. To verify its trustworthiness, Microsoft has provided it with an embedded certificate. This particular software does not appear as a visible window, but only in Task Manager. Slsvc.exe is important Windows process that is needed for a proper PC functionality, so we don’t recommend terminating it. In fact, this process works on protecting digital products from copyright infringement. D If this process consumes too much CPU time, try to stop the service and set it to Manual startup.
A SLsvc.exe file has a 50% certainty of being dangerous if it is found in the C:\Windows directory.
Smss.exe
Process name: Windows NT Session Manager
File location: C:\Windows\System32
This is the session manager subsystem, which is responsible for starting the user session. The operating system’s main thread activates the file. “smss.exe” launches processes such as Win32 and WinLogin. It also sets the system variables, followed by shutting down the system once those two files are ended. If Win32 and WinLogin don’t stop in regular fashion, the system may hang because of it.
Spoolsv.exe
Process name: Print+Fax Spooler
File location: C:\Windows\System32
The spooler service is responsible for managing spooled print/fax jobs. Spooling allows you to print in the background without your computer being tied up. Spoolsv.exe is an executable file that runs the Print Spooler Service, a process that caches printing jobs into system memory as images. When you print something, the print job is sent to the print spooler, which is responsible for handing it off to the printer.
This process should normally not use many of your computer’s resources but this process sometimes takes a huge amount of system resources as processing different file formats into an image suitable for printing often takes time and a lot of memory.
Svchost.exe
Process name: Host Process for Services
File location: C:\Windows\System32
This file is an integral part of Windows OS. It cannot be stopped or restarted manually. This process manages system services (like Automatic Updates, Windows Firewall, Plug and Play, Windows Themes and many more) that run from .dll files.
If you’ve ever browsed through Task Manager, you may have wondered why there are so many Service Host processes running. At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. So, don’t worry.
If this process uses high cpu resources, it is mostly due because the service “Automatic Updates” is downloading some new Windows update. Of course, if this process uses 99% or 100% cpu usage could be caused by downloads due of some hidden malware on your computer.
System
Process name: System process
The “system” process is an executable file on your computer’s hard drive. This file contains machine code. The “system” process is responsible for the system memory and compressed memory in the NT kernel. This system process is a single thread running on each processor. It is the host of all kind of drivers (network, disk, USB).
Of course, this system process in Windows 10 has a additional task, it is compressing old pages of memory so that you have more free memory to use. Non-system processes like [system process] originate from software you installed on your system. Since most applications store data on your hard disk and in your system’s registry, it is likely that your computer has suffered fragmentation and accumulated invalid entries which can affect your PC’s performance.
With start the Windows OS on a PC, the commands contained in “system” process will be executed on your PC. For this purpose, the file is loaded into the main memory (RAM) and runs there as a “System Idle Process” process (also called a task).
System Idle
Process name: System Idle process
The System Idle Process indicates the percentage of time that the processor is idle. This process is a single thread running on each processor, which has the sole task of accounting for processor time when the system isn’t processing other threads. In other words, the CPU resources used by the System Idle Process are just the CPU resources that aren’t being used.
Without this process always keeping your processor occupied with something to do. Windows runs this process as part of the SYSTEM user account, so it’s always active in the background while Windows is running. It is normal to see a high cpu usage of the system idle process. The system idle process has always the PID 0 (Process Identification) in the Windows Task Manager, otherwise it is malware.
Taskeng.exe
Process name: Task Scheduler Engine
File location: C:\Windows\System32
This process belonging to the Windows Vista/7/8/10 operating systems. This process is responsible for keeping track of tasks set to run at a time predetermined by the user, and to invoke them when necessary. The taskeng.exe file is a Windows core system file. The program is not visible. It is a trustworthy file from Microsoft.
Wercon.exe
Process name: Windows Event Reporting
File location: C:\Windows\System32
Wercon.exe is Windows Event Reporting, and is a part of Windows Vista/7 used to allow program crashes and other problems with the system to be reported to Microsoft for analysis. The wercon.exe file is a Windows system file. The program has a visible window. The file is a trustworthy file from Microsoft. You should not delete this file without a valid reason, as this may affect the performance of any associated programs that use that file.
Winlogon.exe
Process name: Windows Logon Application
C:\Windows\System32
The winlogon.exe process is a critical part of the Windows operating system. This process runs in the background. Winlogon is a part of the Windows Login subsystem, and is necessary for user authorization and Windows activation checks.
When you sign in, the winlogon.exe process is responsible for loading your user profile into the registry. This allows programs to use the keys under HKEY_CURRENT_USER, which are different for each Windows user account. The Windows Logon also is responsible for locking your PC and starting screen savers after a period of inactivity.
Winmgmt.exe
Process name: Windows Management Instrumentation (WMI)
File location: C:\WINDOWS\System32\Wbem
Winmgmt.exe is a core component of client management in Windows that provides management information and control in an enterprise environment. The WMI service automatically starts when the first management application or script requests connection to a WMI namespace. Winmgmt is the WMI service within the SVCHOST process running under the “LocalSystem” account. Administrators can employ WMI to query and set information on desktop systems, applications, networks and other enterprise components.
Wmiexe.exe
Process name: Windows Management Instrumentation
File location: C:\Windows\System32
The WMI service exe housing is part of the Windows OS that runs as a separate process (Win98/NT/2000) or part of SVCHOST (in Windows XP/7 and higher). It interacts with management applications through the COM interface.
This process provides users access to various different computer operations.
Wmiprvse.exe
Process name: Windows Management Instrumentation
File location: C:\WINDOWS\System32\Wbem
The wmiprvse.exe process is the WMI Provider host. It’s a part of what’s known as the Windows Management Instrumentation (WMI) component within Microsoft Windows that provides management information and control in an enterprise environment. In other words, the WMI Provider Host process allows other applications on your computer to request information about your system. The wmiprvse.exe process runs alongside the WMI core process, WinMgmt.exe. Multiple instances of Wmiprvse.exe can run at the same time under different accounts: LocalSystem, NetworkService or LocalService. The WMI core WinMgmt.exe is loaded into the shared Local Service host named Svchost.exe.
Wuauclt.exe
Process name: Windows Update AutoUpdate Client
File location: C:\Windows\System32
This process is a background process which checks with the Microsoft website for updates to the operating system. This Process (or utility) checks and installs important Windows updates. It delivers software updates for Windows OS as well as several other Microsoft products including Microsoft Security Essentials and Microsoft Office.
WUDFHost.exe
Process name: Windows Driver Foundation – User-mode Driver Framework Host Process
File Location: C:\Windows\System32
This process is a part of Windows Vista /7/8/10. Some Windows drivers run in user mode (such as USB drivers), specifically in a process running the executable image WUDFHost.exe. This process actually is a child process of the driver manager service. Wudfhost.exe usually runs in the LocalService account, which has minimum privileges on the local computer. Within Wudfhost.exe, each UMDF driver runs in its own address space, and is therefore isolated from the application process and other instances of the driver host.
And the most important and sensitive point at the end of this post
We introduced you to the location of each of these files. Whenever you see any of these files in a different location, most likely the above file is a malware.
———————————
Sources: