Believe me, your system behaves correctly because there are all trusted and clean services/processes running on your system OR your system behaves strangely/slowly/ abnormally because there might be vulnerable/heavy/malicious services/processes running on your system.
So I prefer to start my tutorial by telling a bit about the services/processes and how to handle them. Because by this you not only can save your system by stopping the execution of any malicious/vulnerable program but also can make your system much faster and speedy by stopping any heavy and (IN MOST CASES ) unnecessary programs/services keep running on your system which you hardly needs.
I am a very strong supporter of KISS approach .Well, though this word has got many good meaningsJ, but in our computer field it stands for Keep It Simple & Stupid.
Even for the toughest problem in this world, there lies a solution which is really simple, very straight forward (stupid) and in most of time the BEST.
For the above mentioned scenarios also, there are many easy to use tools which can help you to find out all seeking information in a very direct and easy way.
The usual symptoms of a slow OR compromised system is usually, slow response of the system, high usage of system resources (CPU, MEMORY, BANDWIDTH etc.), Unusual working of your system like sudden opening of some application, closing of some active windows etc.
So let’s start our journey of system exploration.
First of all, I recommend you to go to SYSINTERNAL LINK and if you really are a security concern fellow, you MUST have all these tools with you. All these tools are developed by Microsoft for providing you the various system information.
In today’s section I will discuss a very powerful and easy to use tool called “Process Explorer” (You may download this tool separately from the same above provided link itself) .This tool gives a very-very in-depth information of services and processes running on the system and provide some really vital information necessary even for we professionals to judge that whether the services\processes are clean/required or not.
As I told I believe in simplicity J , so I will start with step to step guide of using this tool.
First have this tool and simply launch it (IMP: Users on VISTA and WIN7 has to launch it with admin privileges)
The first screen you get will look like:
Confused or shocked, J , wait!!!! Your all system’s information is hidden in this small screen. And believe me using this tool is as easy as ABC.. .
As you may see many colours on the main UI, first have some time to understand what each colours stands for
So as a very common user, we are only interested in, Services (PINK COLOUR), Own Processes (LIGHT BLUE) colour and Jobs (BROWN COLOUR) and new objects (Green colour. IMP: Based on the nature, Green colour will immediately change to PINK (The new object is a service), LIGHT BLUE or BROWN)
So it means I can say that in the above given picture MDM.exe is a SERVICE and BCMWLTRY.exe is a .NET Process (Enclosed in Square boxes).
In this manner this tool lists all the services/jobs/processes running on your system. It also tells that which Service owns which process and many more other information like what is the PID (process ID), what is the CPU utilisation by each utilities, a brief description (if available), the image’s company name (if available) and the image path (where this utility resides in your system).These options are enabled by default, there are many more options and you can enable/disable those as per your needs by going to View=>Select Columns=>Process Image.
This tool also provides the information that which service owns which process( or in other word you may say that which process/jobs is using which services) .This tool presents a very good tree kinda of view of these information.
So just have looks on the below given picture:
In this picture I can say that there is a service named ccsvchst.exe which also owns a process of same name and both of them having process id (PID) as 2843, 3708 and CPU consumption as 0,0 (don’t worry this happens J for ideal/suspended processes/services/jobs) respectively and they have description as “SYSMANTEC SERVICE FRAMEWORK” , manufactured (okie developed J ) by SYMANTEC and the path in your system are C:\... , C:\... respectively.
Where as explorer.exe is a process owned by system which itself owns a JOB named WINWORD.exe and a Process named Procexp.exe. Ymsgr_tray.exe is a single job directly owned by System.
Now we have enough information regarding a image, let’s start our exploration about its impact on my system.
Doing this is also pretty simple. Right click on any of the images and select the Properties row from the came window.
Like for example here I have selected to view the properties of “Ymsgr_tray.exe”
Doing this will bring this window in front of you: :
Here we need only two tabs’ information (in-fact only one tab’s) to tell that how much impact an image has on system.
These two tabs are Performance & Performance graph (as name suggests, the later is a graphical representation of former one).For ease just start with the graphical tab’s information:
As the graph suggests, the image is not using any CPU now, not performing any I/O (Input/Output) operation (means not writing or reading anything from memory or hard-disk), and having 18.9 MB of private bytes (in a simple word it means that it is consuming this much memory from your RAM).
Now we move to the textual representation of performance. The only benefit of coming here is that we can get the exact data regarding any image working.
So here I can say that this image is running in System with priority 8 (Normal) , taking 0:0:0.358 seconds of KERNEL TIME ,0:0:0.031 seconds of USER TIME and the most important thing is that it has 77 open handles with it (Handles are system resources and have a critical impact on system performance , but I am leaving it here for further discussion) , having 77 handles is not a big count. GDI represents the Graphical handles the image has , again I am leaving this topic for now and 93 is a fair small number of handles (Windows allow up-to 10,000 GDI handles per image).
The other information are only the textual representation of data we have seen in Graphical window.
So this all information gives us a fair amount of data needed for making a decision that whether an image is clean or not (Is it from a trusted manufacturer and running under trusted services) and whether it has a allowed impact on my system (Is it consuming fair amount of CPU, Is it consuming fair amount of Memory, Is it doing
Expected and allowed I/O).The other very important TAB is the security TAB which gives you the further and advanced details of this image.
The main points to be notices here are:
1) Is it running under normal user privileges (Until unless a image is a service it hardly needs an ADMIN privileges)
2) Does it has ADMIN flag NOT SET for it ( reason is as above mentioned)
3) What are the privileges this image has? “SeChangeNotifyPrivilege” has the meaning that it can notify the changes happened with it (if any)
4) All the other privileges like “SeIncreaseWrokingSetPriviledge” (Ability to increase the default Working-set size , in simple words ability to get more memories than all other images) and others, which are self-defined is set for this image , if not then OK , if yes, then does this image really needs it (this you can predict by seeing the working of this image. (Usually these privileges are needed by services)
IMP: Usually whenever an image (Process/Job/Services) starts it asks for various privileges based on the kinda of services it is supposed to provide. The OS (System) allows these privileges based on many criteria. More ever the privilege list may differ from OS to OS like for example please see below given privilege list of process “Process Explorer itself”, when it runs under WIN VISTA with ADMIN privileges.
As we see the ADMIN group FLAG is set for this image which means this image is running with ADMIN privileges and we can also see list of all privileges associated with this image.
So now we have a fair enough data for this image to make a mind that what this image is doing on my system, with what privileges it is running and what actually it is?
However there is one more last weapon left, which directly redirect you to a trusted source database which will give you much other information regarding this image.
Even that door also guided by Process explorer only J .
If you wana to know more about an image, simply right on that image and select “Search Online” from the came menu.
It will redirect you to a search page with all the information found for that image.
Like for the image Ymsgr_tray.exe:
This click redirected me to search page
As you can see we have almost huge Information here. Clicking on first link redirected me to the page
Here I have got more information regarding this image which can be more valuable in making my decision that whether this image should be allowed to run in my system or not.
