Standard Process Lists for different OS's

Stryder

05-02-04, 07:29 AM

Standard Processes for different OS's

The following are standard process lists for their relevant OS.
A Process list is what programs are running on your system which you can find with the aid of "TASK MANAGER" (Thats CTRL+ALT+DEL)

The OS's in question are all Microsoft.
(Thats because most other OS's don't suffer so many problems)

Just because a process isn't mentioned here doesn't mean it isn't vital however you can either try killing it in the process list, which at worst can cause your system to hang/crash/destablise and require a reboot.
Such things not mentioned might be mouse drivers, zip disk drivers, camera's , screen or display drivers and other things that might appear in you taskbar.

[If you have an OS thats not mentioned here, and would like to submit a process list feel free to post yours up. (Like: winME and XP Home)

If you want to stop a process from starting up, you can either use MSCONFIG, edit the Registry or use a program like: http://www.mlin.net/StartupCPL.shtml ]

Win98 Processes (Not all these necessarily run on a machine):

# The very basics of a Win98 OS (Windows will not function fully without this)
C:\WINDOWS\EXPLORER.EXE

# places the icons for running programs on the taskbar.
C:\WINDOWS\SYSTEM\SYSTRAY.EXE

# File sometimes loaded to allow drivers to make peripherals function
C:\WINDOWS\SYSTEM\KERNEL32.DLL

# Program that reports your file storage to defrager, so it can defrag properly.
C:\WINDOWS\TASKMON.EXE

# System's monitor process.
C:\WINDOWS\SYSTEM\WMIEXE.EXE

# Windows Routing Process, used for dealing with network/adapter connections.
C:\WINDOWS\SYSTEM\MPREXE.EXE

# Windows Message server (Deals with e-mail, MSN/windows messenger and other events)
C:\WINDOWS\SYSTEM\MSGSRV32.EXE

# This is a Directx program
C:\WINDOWS\SYSTEM\DDHELP.EXE

# This is a Printer Spool
C:\WINDOWS\SYSTEM\SPOOL32.EXE

# These are used by Task Manager
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk

# MSN Messenger has these attached
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

# Microsoft Office has these two
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE

Win XP Pro Processes:

# Task Manager
taskmgr.exe

# Normal Explorer and Internet Explorer
explorer.exe
iexplore.exe

# WMDM PMSP Service (Windows Media Player)
MsPMSPSv.exe

# This is a big one to cover, there can be many instance of svchost.exe running on a machine
# thats because it's a generic host process, it's code that can be used to help aid other
# programs interface better with the OS. Such things that might make them appear can be
# dialups and network connections, to name a few, however sometimes Trojans and viruses
# have been known to mimic a svchost.exe entry, which means for you to realise it's not
# a real one you would have to either use a program to work it out automatically for you
# or look at your entries in either the Registry or MSCONFIG.
# (Systems SERVICES can be turned off to lower the number of svchost entries)
svchost.exe

# Machine Debug Manager
mdm.exe

# Printer Spool
spoolsv.exe

# Local Security Authority Service deals with how to authenticate.
lsass.exe
# Windows Logon Process Covers the login and Logoff of a user, however needs lsass.exe
winlogon.exe

# Note: both lsass.exe and winlogon.exe can be mimiced sometimes, not just to attempt to
# be stealthy in a process list, but also to try and manipulate the programs other components
# to think it's the real one.

# Windows Service Controller starts and stops services (better resource handling)
services.exe

# client/Server Runtime Server Subsystem, handles windows and graphics functions.
csrss.exe

# Session Manager Subsystem, starts,manages and deletes user and terminal user sessions.
smss.exe

# System process, "0"s all free RAM. (Something win98 doesn't do. Better resource Handling.)
System

# Systems Loop that defines if there is idle time available for a process/function/program to run.
System Idle Process

Rick

05-10-04, 05:22 AM

Theres no mention of UNIX.
heres content from MANUAL.

The System V ps command will normally only print the processes that are associated with the terminal on which the program is being run. To list all of the processes that are running on your computer, you must run the program with the -ef options. The options are:

Option

Effect

e

List all processes

f

Produce a full listing

For example:

sun.vineyard.net% /bin/ps -ef
UID PID PPID C STIME TTY TIME COMD
root 0 0 64 Nov 16 ? 0:01 sched
root 1 0 80 Nov 16 ? 9:56 /etc/init -
root 2 0 80 Nov 16 ? 0:10 pageout
root 3 0 80 Nov 16 ? 78:20 fsflush
root 227 1 24 Nov 16 ? 0:00 /usr/lib/saf/sac -t 300
root 269 1 18 Nov 16 console 0:00 /usr/lib/saf/ttymon -g - root 97 1 80 Nov 16 ? 1:02 /usr/sbin/rpcbind
root 208 1 80 Nov 16 ? 0:01 /usr/dt/bin/dtlogin
root 99 1 21 Nov 16 ? 0:00 /usr/sbin/keyserv
root 117 1 12 Nov 16 ? 0:00 /usr/lib/nfs/statd
root 105 1 12 Nov 16 ? 0:00 /usr/sbin/kerbd
root 119 1 27 Nov 16 ? 0:00 /usr/lib/nfs/lockd
root 138 1 12 Nov 16 ? 0:00 /usr/lib/autofs/automoun root 162 1 62 Nov 16 ? 0:01 /usr/lib/lpsched
root 142 1 41 Nov 16 ? 0:00 /usr/sbin/syslogd
root 152 1 80 Nov 16 ? 0:07 /usr/sbin/cron
root 169 162 8 Nov 16 ? 0:00 lpNet
root 172 1 80 Nov 16 ? 0:02 /usr/lib/sendmail -q1h
root 199 1 80 Nov 16 ? 0:02 /usr/sbin/vold
root 180 1 80 Nov 16 ? 0:04 /usr/lib/utmpd
root 234 227 31 Nov 16 ? 0:00 /usr/lib/saf/listen tcp
simsong 14670 14563 13 12:22:12 pts/11 0:00 rlogin next
root 235 227 45 Nov 16 ? 0:00 /usr/lib/saf/ttymon
simsong 14673 14535 34 12:23:06 pts/5 0:00 rlogin next
simsong 14509 1 80 11:32:43 ? 0:05 /usr/dt/bin/dsdm
simsong 14528 14520 80 11:32:51 ? 0:18 dtwm
simsong 14535 14533 66 11:33:04 pts/5 0:01 /usr/local/bin/tcsh
simsong 14529 14520 80 11:32:56 ? 0:03 dtfile -session dta003TF
root 14467 1 11 11:32:23 ? 0:00 /usr/openwin/bin/fbconso simsong 14635 14533 80 11:48:18 pts/12 0:01 /usr/local/bin/tcsh
simsong 14728 14727 65 15:29:20 pts/9 0:01 rlogin next
root 332 114 80 Nov 16 ? 0:02 /usr/dt/bin/rpc.ttdbserv root 14086 208 80 Dec 01 ? 8:26 /usr/openwin/bin/Xsun :0 simsong 13121 13098 80 Nov 29 pts/6 0:01 /usr/local/bin/tcsh
simsong 15074 14635 20 10:48:34 pts/12 0:00 /bin/ps -ef

Table 27.2 describes the meaning of each field in this output.

Field in ps Output (System V)
Table C.1: Feild in ps Output (System V)

Field

Meaning

UID

The username of the person running the command

PID

The process's identification number (see next section)

PPID

The process ID of the process's parent process

C

The processor utilization; an indication of how much CPU time the process is using at the moment

STIME

The time that the process started executing

TTY

The controlling terminal for the process

TIME

The total amount of CPU time that the process has used

COMD

The command that was used to start the process
C.1.2.2 Listing processes with Berkeley-derived versions of UNIX

With Berkeley UNIX, you can use the command:

% ps -auxww

to display detailed information about every process running on your computer. The options specified in this command are:

Option

Effect

a

List all processes

u

Display the information in a user-oriented style

x

Include information on processes that do not have controlling ttys

ww

Include the complete command lines, even if they run past 132 columns

For example:[1]

[1] Many Berkeley-derived versions also show a start time (START) between STAT and TIME.

% ps -auxww
USER PID %CPU %MEM SZ RSS TT STAT TIME COMMAND
simsong 1996 62.6 0.6 1136 1000 q8 R 0:02 ps auxww
root 111 0.0 0.0 32 16 ? I 1:10 /etc/biod 4
daemon 115 0.0 0.1 164 148 ? S 2:06 /etc/syslog
root 103 0.0 0.1 140 116 ? I 0:44 /etc/portmap
root 116 0.0 0.5 860 832 ? I 12:24 /etc/mountd -i -s
root 191 0.0 0.2 384 352 ? I 0:30 /usr/etc/bin/lpd
root 73 0.0 0.3 528 484 ? S < 7:31 /usr/etc/ntpd -n
root 4 0.0 0.0 0 0 ? I 0:00 tpathd
root 3 0.0 0.0 0 0 ? R 0:00 idleproc
root 2 0.0 0.0 4096 0 ? D 0:00 pagedaemon
root 239 0.0 0.1 180 156 co I 0:00 std.9600 console
root 0 0.0 0.0 0 0 ? D 0:08 swapper
root 178 0.0 0.3 700 616 ? I 6:31 /etc/snmpd
root 174 0.0 0.1 184 148 ? S 5:06 /etc/inetd
root 168 0.0 0.0 56 44 ? I 0:16 /etc/cron
root 132 0.0 0.2 452 352 co I 0:11 /usr/etc/lockd
jdavis 383 0.0 0.1 176 96 p0 I 0:03 rlogin hymie
ishii 1985 0.0 0.1 284 152 q1 S 0:00 /usr/ucb/mail bl
root 26795 0.0 0.1 128 92 ? S 0:00 timed
root 25728 0.0 0.0 136 56 t3 I 0:00 telnetd
jdavis 359 0.0 0.1 540 212 p0 I 0:00 -tcsh (tcsh)
root 205 0.0 0.1 216 168 ? I 0:04 /usr/local/cap/atis
kkarahal 16296 0.0 0.4 1144 640 ? I 0:00 emacs
root 358 0.0 0.0 120 44 p0 I 0:03 rlogind
root 26568 0.0 0.0 0 0 ? Z 0:00 <exiting>
root 10862 0.0 0.1 376 112 ? I 0:00 rshd

The fields in this output are described in Table 27.3. Individual STAT characters are described in Tables C-3, C-4, and C-5.
Table C.2: Fields in ps Output (Berkeley-derived)

Field

Meaning

USER

The username of the process. If the process has a UID (described in the next section) that does not appear in /etc/passwd, the UID is printed instead.[2]

PID

The process's identification number

%CPU, %MEM

The percentage of the system's CPU and memory that the process is using

SZ

The amount of virtual memory that the process is using

RSS

The resident set size of the process*- the amount of physical memory that the process is occupying

TT

The terminal that is controlling the process

STAT

A field denoting the status of the process; up to three letters (four under SunOS) are shown

TIME

CPU time used by the process

COMMAND

The name of the command (and arguments)

[2] If this happens, follow up to be sure you don't have an intruder.
Table C.3: . Runnability of Process (First Letter of STAT Field)

Letter

Meaning

R

Actually running or runnable

S

Sleeping (sleeping > 20 seconds)

I

Idle (sleeping < 20 seconds)

T

Stopped

H

Halted

P

In page wait

D

In disk wait

Z

Zombie
Table C.4: . Whether Process Swapped (Second Letter of STAT Field)

Letter

Meaning

<Blank>

In core

W

Swapped out

>

A process that has exceeded a soft limit on memory requirements
Table C.5: . Whether Process Is running with Altered CPU Schedule (Third Letter of STAT Field)

Letter

Meaning

N

The process is running at a low priority

#

nice (a number greater than 0).

<

The process is running at a high priority.

NOTE: Because command arguments are stored in the process's own memory space, a process can change what appears on its command line. If you suspect that a process may not be what it claims to be, type:

% ps -c

This causes ps to print the name of the command stored in the kernel. This approach is substantially faster than the standard ps, and is more suitable for use with scripts that run periodically. Unfortunately, the ps -c display does not include the arguments of each command that is running.
C.1.3 Process Properties

The kernel maintains a set of properties for every UNIX process. Most of these properties are denoted by numbers. Some of these numbers refer to processes, while others determine what privileges the processes have.
C.1.3.1 Process identification numbers (PID)

Every process is assigned a unique number called the process identifier, or PID. The first process to run, called init, is given the number 1. Process numbers can range from 1 to 65535.[3] When the kernel runs out of process numbers, it recycles them. The kernel guarantees that no two active processes will ever have the same number.

[3] Some versions of UNIX may allow process numbers in a range different from 1 to 65535.
C.1.3.2 Process real and effective UID

Every UNIX process has two user identifiers: a real UID and an effective UID.

The real UID (RUID) is the actual user identifier (UID) of the person who is running the program. It is usually the same as the UID of the actual person who is logged into the computer, sitting in front of the terminal (or workstation).

The effective UID (EUID) identifies the actual privileges of the process that is running.

Normally, the real UID and the effective UID are the same. That is, normally you have only the privileges associated with your own UID. Sometimes, however, the real and effective UID can be different. This occurs when a user runs a special kind of program, called a SUID program, which is used to accomplish a specific function (such as changing the user's password). SUID programs are described in Chapter 4, Users, Groups, and the Superuser.
C.1.3.3 Process priority and niceness

Although UNIX is a multitasking operating system, most computers that run UNIX can run only a single process at a time.[4] Every fraction of a second, the UNIX operating system rapidly switches between many different processes, so that each one gets a little bit of work done within a given amount of time. A tiny but important part of the UNIX kernel called the process scheduler decides which process is allowed to run at any given moment and how much CPU time that process should get.

[4] Multiprocessor computers can run as many processes at a time as they have processors.

To calculate which process it should run next, the scheduler computes the priority of every process. The process with the lowest priority number (or the highest priority) runs. A process's priority is determined with a complex formula that includes what the process is doing and how much CPU time the process has already consumed. A special number, called the nice number or simply the nice, biases this calculation: the lower a process's nice number, the higher its priority, and the more likely that it will be run.

On most versions of UNIX, nice numbers are limited from -20 to +20. Most processes have a nice of 0. A process with a nice number of +19 will probably not run until the system is almost completely idle; likewise, a process with a nice number of -19 will probably preempt every other user process on the system.

Sometimes you will want to make a process run slower. In some cases, processes take more than their "fair share" of the CPU, but you don't want to kill them outright. An example is a program that a researcher has left running overnight to perform mathematical calculations that isn't finished the next morning. In this case, rather than killing the process and forcing the researcher to restart it later from the beginning, you could simply cut the amount of CPU time that the process is getting and let it finish slowly during the day. The program /etc/renice lets you change a process's niceness.

For example, suppose that Mike left a program running before he went home. Now it's late at night, and Mike's program is taking up most of the computer's CPU time:

% ps aux | head -5
USER PID %CPU %MEM VSIZE RSIZE TT STAT TIME COMMAND
mike 211 70.0 6.7 2.26M 1.08M 01 R 4:01 cruncher
mike 129 8.2 15.1 7.06M 2.41M 01 S 0:48 csh
donna 212 7.0 7.3 2.56M 1.16M p1 S 1:38 csh
michelle 290 4.0 11.9 14.4M 1.91M 03 R 19:00 rogue %

You could slow down Mike's program by renicing it to a higher nice number.

For security reasons, normal users are only allowed to increase the nice numbers of their own processes. Only the superuser can lower the nice number of a process or raise the nice number of somebody else's process. (Fortunately, in this example, we know the superuser password!)

% /bin/su
password: another39
# /etc/renice +4 211
211: old priority 0, new priority 4
# ps u211
USER PID %CPU %MEM VSIZE RSIZE TT STAT TIME COMMAND
mike 211 1.5 6.7 2.26M 1.08M 01 R N 4:02 cruncher

The N in the STAT field indicates that the cruncher process is now running at a lower priority (it is "niced"). Notice that the process's CPU consumption has already decreased. Any new processes that are spawned by the process with PID 211 will inherit this new nice value, too.

You can also use /etc/renice to lower the nice number of a process to make it finish faster.[5] Although setting a process to a lower priority won't speed up the CPU or make your computer's hard disk transfer data faster, the negative nice number will cause UNIX to run a particular process more than it runs others on the system. Of course, if you ran every process with the same negative priority, there wouldn't be any apparent benefit.

[5] Only root can renice a process to make it faster. Normal processes can't even change themselves back to what they were (if they've been niced down). Normal users can't even raise the priority of their processes to the value at which they were started.

Some versions of the renice command allow you to change the nice of all processes belonging to a user or all processes in a process group (described in the next section). For instance, to speed up all of Mike's processes, you might type:

# renice -2 -u mike

Remember, processes with a lower nice number run faster.

Note that because of the UNIX scheduling system, renicing several processes to lower numbers is likely to increase paging activity if there is limited physical memory, and therefore adversely impact overall system performance.

What do process priority and niceness have to do with security? If an intruder has broken into your system and you have contacted the authorities and are tracing the phone call, slowing the intruder down with a priority of +10 or +15 will limit the damage that the intruder can do without hanging up the phone (and losing your chance to catch the intruder). Of course, any time that an intruder is on a system, exercise extreme caution.

Also, running your own shell with a higher priority may give you an advantage if the system is heavily loaded. The easiest way to do so is by typing:

# renice -5 $$

The shell will replace the $$ with the PID of the shell's process.
C.1.3.4 Process groups and sessions

With Berkeley-derived versions of UNIX, including SVR4, each process is assigned a process ID (PID), a process group ID, and a session ID. Process groups and sessions are used to implement job control.

For each process, the PID is a unique number, the process group ID is the PID of the process group leader process, and the session ID is the PID of the session leader process. When a process is created, it inherits the process group ID and the session ID of its parent process. Any process may create a new process group by calling setpgrp() and may create a new session by calling the UNIX system call setsid(). All processes that have the same process group ID are said to be in the same process group.

Each UNIX process group belongs to a session group. This is used to help manage signals and orphaned processes. Once a user has logged in, the user may start multiple sets of processes, or jobs, using the shell's job-control mechanism. A job may have a single process, such as a single invocation of the ls command. Alternatively, a job may have several processes, such as a complex shell pipeline. For each of these jobs, there is a process group. UNIX also keeps track of the particular process group which is controlling the terminal. This can be set or changed with ioctl() system calls. Only the controlling process group can read or write to the terminal.

A process could become an orphan if its parent process exits but it continues to run. Historically, these processes would be inherited by the init process but would remain in their original process group. If a signal were sent by the controlling terminal (process group), then it would go to the orphaned process, even though it no longer had any real connection to the terminal or the rest of the process group.

To counter this, POSIX defines an orphaned process group. This is a process group where the parent of every member is either not a member of the process group's session, or is itself a member of the same process group. Orphaned process groups are not sent terminal signals when they are generated. Because of the way in which new sessions are created, the initial process in the first process group is always an orphan (its ancestor is not in the session). Command interpreters are usually spawned as session leaders so they ignore TSTP signals from the terminal.

bye!