Standard Processes for different OS's The following are standard process lists for their relevant OS. A Process list is what programs are running on your system which you can find with the aid of "TASK MANAGER" (Thats CTRL+ALT+DEL) The OS's in question are all Microsoft. (Thats because most other OS's don't suffer so many problems) Just because a process isn't mentioned here doesn't mean it isn't vital however you can either try killing it in the process list, which at worst can cause your system to hang/crash/destablise and require a reboot. Such things not mentioned might be mouse drivers, zip disk drivers, camera's , screen or display drivers and other things that might appear in you taskbar. [If you have an OS thats not mentioned here, and would like to submit a process list feel free to post yours up. (Like: winME and XP Home) If you want to stop a process from starting up, you can either use MSCONFIG, edit the Registry or use a program like: http://www.mlin.net/StartupCPL.shtml ] Win98 Processes (Not all these necessarily run on a machine): Code: # The very basics of a Win98 OS (Windows will not function fully without this) C:\WINDOWS\EXPLORER.EXE # places the icons for running programs on the taskbar. C:\WINDOWS\SYSTEM\SYSTRAY.EXE # File sometimes loaded to allow drivers to make peripherals function C:\WINDOWS\SYSTEM\KERNEL32.DLL # Program that reports your file storage to defrager, so it can defrag properly. C:\WINDOWS\TASKMON.EXE # System's monitor process. C:\WINDOWS\SYSTEM\WMIEXE.EXE # Windows Routing Process, used for dealing with network/adapter connections. C:\WINDOWS\SYSTEM\MPREXE.EXE # Windows Message server (Deals with e-mail, MSN/windows messenger and other events) C:\WINDOWS\SYSTEM\MSGSRV32.EXE # This is a Directx program C:\WINDOWS\SYSTEM\DDHELP.EXE # This is a Printer Spool C:\WINDOWS\SYSTEM\SPOOL32.EXE # These are used by Task Manager C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\mmtask.tsk # MSN Messenger has these attached C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE # Microsoft Office has these two C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE Win XP Pro Processes: Code: # Task Manager taskmgr.exe # Normal Explorer and Internet Explorer explorer.exe iexplore.exe # WMDM PMSP Service (Windows Media Player) MsPMSPSv.exe # This is a big one to cover, there can be many instance of svchost.exe running on a machine # thats because it's a generic host process, it's code that can be used to help aid other # programs interface better with the OS. Such things that might make them appear can be # dialups and network connections, to name a few, however sometimes Trojans and viruses # have been known to mimic a svchost.exe entry, which means for you to realise it's not # a real one you would have to either use a program to work it out automatically for you # or look at your entries in either the Registry or MSCONFIG. # (Systems SERVICES can be turned off to lower the number of svchost entries) svchost.exe # Machine Debug Manager mdm.exe # Printer Spool spoolsv.exe # Local Security Authority Service deals with how to authenticate. lsass.exe # Windows Logon Process Covers the login and Logoff of a user, however needs lsass.exe winlogon.exe # Note: both lsass.exe and winlogon.exe can be mimiced sometimes, not just to attempt to # be stealthy in a process list, but also to try and manipulate the programs other components # to think it's the real one. # Windows Service Controller starts and stops services (better resource handling) services.exe # client/Server Runtime Server Subsystem, handles windows and graphics functions. csrss.exe # Session Manager Subsystem, starts,manages and deletes user and terminal user sessions. smss.exe # System process, "0"s all free RAM. (Something win98 doesn't do. Better resource Handling.) System # Systems Loop that defines if there is idle time available for a process/function/program to run. System Idle Process
Theres no mention of UNIX. heres content from MANUAL. Code: The System V ps command will normally only print the processes that are associated with the terminal on which the program is being run. To list all of the processes that are running on your computer, you must run the program with the -ef options. The options are: Option Effect e List all processes f Produce a full listing For example: sun.vineyard.net% /bin/ps -ef UID PID PPID C STIME TTY TIME COMD root 0 0 64 Nov 16 ? 0:01 sched root 1 0 80 Nov 16 ? 9:56 /etc/init - root 2 0 80 Nov 16 ? 0:10 pageout root 3 0 80 Nov 16 ? 78:20 fsflush root 227 1 24 Nov 16 ? 0:00 /usr/lib/saf/sac -t 300 root 269 1 18 Nov 16 console 0:00 /usr/lib/saf/ttymon -g - root 97 1 80 Nov 16 ? 1:02 /usr/sbin/rpcbind root 208 1 80 Nov 16 ? 0:01 /usr/dt/bin/dtlogin root 99 1 21 Nov 16 ? 0:00 /usr/sbin/keyserv root 117 1 12 Nov 16 ? 0:00 /usr/lib/nfs/statd root 105 1 12 Nov 16 ? 0:00 /usr/sbin/kerbd root 119 1 27 Nov 16 ? 0:00 /usr/lib/nfs/lockd root 138 1 12 Nov 16 ? 0:00 /usr/lib/autofs/automoun root 162 1 62 Nov 16 ? 0:01 /usr/lib/lpsched root 142 1 41 Nov 16 ? 0:00 /usr/sbin/syslogd root 152 1 80 Nov 16 ? 0:07 /usr/sbin/cron root 169 162 8 Nov 16 ? 0:00 lpNet root 172 1 80 Nov 16 ? 0:02 /usr/lib/sendmail -q1h root 199 1 80 Nov 16 ? 0:02 /usr/sbin/vold root 180 1 80 Nov 16 ? 0:04 /usr/lib/utmpd root 234 227 31 Nov 16 ? 0:00 /usr/lib/saf/listen tcp simsong 14670 14563 13 12:22:12 pts/11 0:00 rlogin next root 235 227 45 Nov 16 ? 0:00 /usr/lib/saf/ttymon simsong 14673 14535 34 12:23:06 pts/5 0:00 rlogin next simsong 14509 1 80 11:32:43 ? 0:05 /usr/dt/bin/dsdm simsong 14528 14520 80 11:32:51 ? 0:18 dtwm simsong 14535 14533 66 11:33:04 pts/5 0:01 /usr/local/bin/tcsh simsong 14529 14520 80 11:32:56 ? 0:03 dtfile -session dta003TF root 14467 1 11 11:32:23 ? 0:00 /usr/openwin/bin/fbconso simsong 14635 14533 80 11:48:18 pts/12 0:01 /usr/local/bin/tcsh simsong 14728 14727 65 15:29:20 pts/9 0:01 rlogin next root 332 114 80 Nov 16 ? 0:02 /usr/dt/bin/rpc.ttdbserv root 14086 208 80 Dec 01 ? 8:26 /usr/openwin/bin/Xsun :0 simsong 13121 13098 80 Nov 29 pts/6 0:01 /usr/local/bin/tcsh simsong 15074 14635 20 10:48:34 pts/12 0:00 /bin/ps -ef Table 27.2 describes the meaning of each field in this output. Field in ps Output (System V) Table C.1: Feild in ps Output (System V) Field Meaning UID The username of the person running the command PID The process's identification number (see next section) PPID The process ID of the process's parent process C The processor utilization; an indication of how much CPU time the process is using at the moment STIME The time that the process started executing TTY The controlling terminal for the process TIME The total amount of CPU time that the process has used COMD The command that was used to start the process C.1.2.2 Listing processes with Berkeley-derived versions of UNIX With Berkeley UNIX, you can use the command: % ps -auxww to display detailed information about every process running on your computer. The options specified in this command are: Option Effect a List all processes u Display the information in a user-oriented style x Include information on processes that do not have controlling ttys ww Include the complete command lines, even if they run past 132 columns For example:[1] [1] Many Berkeley-derived versions also show a start time (START) between STAT and TIME. % ps -auxww USER PID %CPU %MEM SZ RSS TT STAT TIME COMMAND simsong 1996 62.6 0.6 1136 1000 q8 R 0:02 ps auxww root 111 0.0 0.0 32 16 ? I 1:10 /etc/biod 4 daemon 115 0.0 0.1 164 148 ? S 2:06 /etc/syslog root 103 0.0 0.1 140 116 ? I 0:44 /etc/portmap root 116 0.0 0.5 860 832 ? I 12:24 /etc/mountd -i -s root 191 0.0 0.2 384 352 ? I 0:30 /usr/etc/bin/lpd root 73 0.0 0.3 528 484 ? S < 7:31 /usr/etc/ntpd -n root 4 0.0 0.0 0 0 ? I 0:00 tpathd root 3 0.0 0.0 0 0 ? R 0:00 idleproc root 2 0.0 0.0 4096 0 ? D 0:00 pagedaemon root 239 0.0 0.1 180 156 co I 0:00 std.9600 console root 0 0.0 0.0 0 0 ? D 0:08 swapper root 178 0.0 0.3 700 616 ? I 6:31 /etc/snmpd root 174 0.0 0.1 184 148 ? S 5:06 /etc/inetd root 168 0.0 0.0 56 44 ? I 0:16 /etc/cron root 132 0.0 0.2 452 352 co I 0:11 /usr/etc/lockd jdavis 383 0.0 0.1 176 96 p0 I 0:03 rlogin hymie ishii 1985 0.0 0.1 284 152 q1 S 0:00 /usr/ucb/mail bl root 26795 0.0 0.1 128 92 ? S 0:00 timed root 25728 0.0 0.0 136 56 t3 I 0:00 telnetd jdavis 359 0.0 0.1 540 212 p0 I 0:00 -tcsh (tcsh) root 205 0.0 0.1 216 168 ? I 0:04 /usr/local/cap/atis kkarahal 16296 0.0 0.4 1144 640 ? I 0:00 emacs root 358 0.0 0.0 120 44 p0 I 0:03 rlogind root 26568 0.0 0.0 0 0 ? Z 0:00 <exiting> root 10862 0.0 0.1 376 112 ? I 0:00 rshd The fields in this output are described in Table 27.3. Individual STAT characters are described in Tables C-3, C-4, and C-5. Table C.2: Fields in ps Output (Berkeley-derived) Field Meaning USER The username of the process. If the process has a UID (described in the next section) that does not appear in /etc/passwd, the UID is printed instead.[2] PID The process's identification number %CPU, %MEM The percentage of the system's CPU and memory that the process is using SZ The amount of virtual memory that the process is using RSS The resident set size of the process*- the amount of physical memory that the process is occupying TT The terminal that is controlling the process STAT A field denoting the status of the process; up to three letters (four under SunOS) are shown TIME CPU time used by the process COMMAND The name of the command (and arguments) [2] If this happens, follow up to be sure you don't have an intruder. Table C.3: . Runnability of Process (First Letter of STAT Field) Letter Meaning R Actually running or runnable S Sleeping (sleeping > 20 seconds) I Idle (sleeping < 20 seconds) T Stopped H Halted P In page wait D In disk wait Z Zombie Table C.4: . Whether Process Swapped (Second Letter of STAT Field) Letter Meaning <Blank> In core W Swapped out > A process that has exceeded a soft limit on memory requirements Table C.5: . Whether Process Is running with Altered CPU Schedule (Third Letter of STAT Field) Letter Meaning N The process is running at a low priority # nice (a number greater than 0). < The process is running at a high priority. NOTE: Because command arguments are stored in the process's own memory space, a process can change what appears on its command line. If you suspect that a process may not be what it claims to be, type: % ps -c This causes ps to print the name of the command stored in the kernel. This approach is substantially faster than the standard ps, and is more suitable for use with scripts that run periodically. Unfortunately, the ps -c display does not include the arguments of each command that is running. C.1.3 Process Properties The kernel maintains a set of properties for every UNIX process. Most of these properties are denoted by numbers. Some of these numbers refer to processes, while others determine what privileges the processes have. C.1.3.1 Process identification numbers (PID) Every process is assigned a unique number called the process identifier, or PID. The first process to run, called init, is given the number 1. Process numbers can range from 1 to 65535.[3] When the kernel runs out of process numbers, it recycles them. The kernel guarantees that no two active processes will ever have the same number. [3] Some versions of UNIX may allow process numbers in a range different from 1 to 65535. C.1.3.2 Process real and effective UID Every UNIX process has two user identifiers: a real UID and an effective UID. The real UID (RUID) is the actual user identifier (UID) of the person who is running the program. It is usually the same as the UID of the actual person who is logged into the computer, sitting in front of the terminal (or workstation). The effective UID (EUID) identifies the actual privileges of the process that is running. Normally, the real UID and the effective UID are the same. That is, normally you have only the privileges associated with your own UID. Sometimes, however, the real and effective UID can be different. This occurs when a user runs a special kind of program, called a SUID program, which is used to accomplish a specific function (such as changing the user's password). SUID programs are described in Chapter 4, Users, Groups, and the Superuser. C.1.3.3 Process priority and niceness Although UNIX is a multitasking operating system, most computers that run UNIX can run only a single process at a time.[4] Every fraction of a second, the UNIX operating system rapidly switches between many different processes, so that each one gets a little bit of work done within a given amount of time. A tiny but important part of the UNIX kernel called the process scheduler decides which process is allowed to run at any given moment and how much CPU time that process should get. [4] Multiprocessor computers can run as many processes at a time as they have processors. To calculate which process it should run next, the scheduler computes the priority of every process. The process with the lowest priority number (or the highest priority) runs. A process's priority is determined with a complex formula that includes what the process is doing and how much CPU time the process has already consumed. A special number, called the nice number or simply the nice, biases this calculation: the lower a process's nice number, the higher its priority, and the more likely that it will be run. On most versions of UNIX, nice numbers are limited from -20 to +20. Most processes have a nice of 0. A process with a nice number of +19 will probably not run until the system is almost completely idle; likewise, a process with a nice number of -19 will probably preempt every other user process on the system. Sometimes you will want to make a process run slower. In some cases, processes take more than their "fair share" of the CPU, but you don't want to kill them outright. An example is a program that a researcher has left running overnight to perform mathematical calculations that isn't finished the next morning. In this case, rather than killing the process and forcing the researcher to restart it later from the beginning, you could simply cut the amount of CPU time that the process is getting and let it finish slowly during the day. The program /etc/renice lets you change a process's niceness. For example, suppose that Mike left a program running before he went home. Now it's late at night, and Mike's program is taking up most of the computer's CPU time: % ps aux | head -5 USER PID %CPU %MEM VSIZE RSIZE TT STAT TIME COMMAND mike 211 70.0 6.7 2.26M 1.08M 01 R 4:01 cruncher mike 129 8.2 15.1 7.06M 2.41M 01 S 0:48 csh donna 212 7.0 7.3 2.56M 1.16M p1 S 1:38 csh michelle 290 4.0 11.9 14.4M 1.91M 03 R 19:00 rogue % You could slow down Mike's program by renicing it to a higher nice number. For security reasons, normal users are only allowed to increase the nice numbers of their own processes. Only the superuser can lower the nice number of a process or raise the nice number of somebody else's process. (Fortunately, in this example, we know the superuser password!) % /bin/su password: another39 # /etc/renice +4 211 211: old priority 0, new priority 4 # ps u211 USER PID %CPU %MEM VSIZE RSIZE TT STAT TIME COMMAND mike 211 1.5 6.7 2.26M 1.08M 01 R N 4:02 cruncher The N in the STAT field indicates that the cruncher process is now running at a lower priority (it is "niced"). Notice that the process's CPU consumption has already decreased. Any new processes that are spawned by the process with PID 211 will inherit this new nice value, too. You can also use /etc/renice to lower the nice number of a process to make it finish faster.[5] Although setting a process to a lower priority won't speed up the CPU or make your computer's hard disk transfer data faster, the negative nice number will cause UNIX to run a particular process more than it runs others on the system. Of course, if you ran every process with the same negative priority, there wouldn't be any apparent benefit. [5] Only root can renice a process to make it faster. Normal processes can't even change themselves back to what they were (if they've been niced down). Normal users can't even raise the priority of their processes to the value at which they were started. Some versions of the renice command allow you to change the nice of all processes belonging to a user or all processes in a process group (described in the next section). For instance, to speed up all of Mike's processes, you might type: # renice -2 -u mike Remember, processes with a lower nice number run faster. Note that because of the UNIX scheduling system, renicing several processes to lower numbers is likely to increase paging activity if there is limited physical memory, and therefore adversely impact overall system performance. What do process priority and niceness have to do with security? If an intruder has broken into your system and you have contacted the authorities and are tracing the phone call, slowing the intruder down with a priority of +10 or +15 will limit the damage that the intruder can do without hanging up the phone (and losing your chance to catch the intruder). Of course, any time that an intruder is on a system, exercise extreme caution. Also, running your own shell with a higher priority may give you an advantage if the system is heavily loaded. The easiest way to do so is by typing: # renice -5 $$ The shell will replace the $$ with the PID of the shell's process. C.1.3.4 Process groups and sessions With Berkeley-derived versions of UNIX, including SVR4, each process is assigned a process ID (PID), a process group ID, and a session ID. Process groups and sessions are used to implement job control. For each process, the PID is a unique number, the process group ID is the PID of the process group leader process, and the session ID is the PID of the session leader process. When a process is created, it inherits the process group ID and the session ID of its parent process. Any process may create a new process group by calling setpgrp() and may create a new session by calling the UNIX system call setsid(). All processes that have the same process group ID are said to be in the same process group. Each UNIX process group belongs to a session group. This is used to help manage signals and orphaned processes. Once a user has logged in, the user may start multiple sets of processes, or jobs, using the shell's job-control mechanism. A job may have a single process, such as a single invocation of the ls command. Alternatively, a job may have several processes, such as a complex shell pipeline. For each of these jobs, there is a process group. UNIX also keeps track of the particular process group which is controlling the terminal. This can be set or changed with ioctl() system calls. Only the controlling process group can read or write to the terminal. A process could become an orphan if its parent process exits but it continues to run. Historically, these processes would be inherited by the init process but would remain in their original process group. If a signal were sent by the controlling terminal (process group), then it would go to the orphaned process, even though it no longer had any real connection to the terminal or the rest of the process group. To counter this, POSIX defines an orphaned process group. This is a process group where the parent of every member is either not a member of the process group's session, or is itself a member of the same process group. Orphaned process groups are not sent terminal signals when they are generated. Because of the way in which new sessions are created, the initial process in the first process group is always an orphan (its ancestor is not in the session). Command interpreters are usually spawned as session leaders so they ignore TSTP signals from the terminal. bye!
Since someones Necro'd the thread I thought I would add something in regards to things that Windows doesn't actually need. It is possible to turn off explorer.exe from the tasklist this however pretty much removes the whole windows environment just leaving a background in WinXP and Vista. If you want to bring it back or execute things like games that can be very CPU intensive (and thus can gain a few FPS from closing the environment down) just use CTRL+ALT+DEL bring up the Task manager, click File and you should be able to use RUN. in the run box (search box) you can type Explorer or Explorer.exe and it will bring back the environment (in most cases). Otherwise you can choose to load games from searching your desktop for links etc.
For OSX: http://www.westwind.com/reference/OS-X/background-processes.html You can see what's running by opening \applications\utilities\terminal and typing in 'top' at the command prompt.
top is in linux also. Word of warning, unless you really know what you're doing, look but don't touch. You can bring down the system with a few keystrokes, especially as root. Please Register or Log in to view the hidden image! Very useful for monitoring system resourses though. Just type top have a look and then hit the q key to quit.
WINDOWS 7 BETA DEFAULT Please Register or Log in to view the hidden image! This is a picture of processes during first boot. There are a few things to note. 1. There is typically 9 'svchost.exe' processes. But sometimes, a 10th shows up. 2. The 2 'mscorsvw.exe' processes (32-bit and 64-bit) are related to both 'Microsoft.NET Framework' services. I'm not sure what those services are for, but if you disable them, those proceses will no longer run. There is a possibility that they will go away if you disable the 'Windows Management Instrumentation' service. 3. 'WmiPrvSE.exe' will no longer appear if you disable the 'Windows Management Instrumentation' service. 4. 'sppsvc.exe' only appears when it needs to. If you disable the 'Software Protection' service it will never appear again. However, disabling that service will cause warnings to appear when you do certain things. It's a really useless service that prevents those warnings from appearing by checking if your Windows key is activated. If it's dead, it can't verify, and warnings appear. It's a really pointless bloat that has no practical use. 5. Sometimes 'taskhost.exe LOCAL' will appear out of nowhere. 6. 'SearchIndexer.exe' always runs. You can get rid of it by disabling the 'Windows Search' service which is necessary for you to do any searches. Sometimes, 3 other related processes will appear out of nowhere. Typcially when you save or create a file. 7. 'TrustedInstaller.exe' also appears sometimes. Typically after installations. 8. 'mdm.exe' is a process related to the 'Machine Debug Manager' service. This service is installed with MS Office, and can be disabled.
It's been a while since this stickied thread has been updated, however recently I discovered something that some of you probably are already familiar with, the "Hardware Profiles" on Windows operating systems that can be used to define which Services you want to load when you first bootup. If you utilise this with blackvipers guide for process configuration, you'll be able to create countless profiles that don't have to undermine your default loadout. (Namely you can make an unstable service loadout that doesn't stop you being able to boot the computer or connect a device at a later date) Please feel free to see if Windows 7 still allows these configurations or even Vista. (Haven't had the chance to test yet) Edit: Both Windows 7 and Vista do not use Hardware profiles, it seems Microsoft obsleted these probably due to both changes in plug and play as well as due to their software detecting hardware changes as a apart of their copyprotection/authentication(As the profiles are actually meant for different hardware configurations)
for OSX Leopard; Snow Leopard is roughly the same, though 64-bit in many cases. Not a screenshot of my system, found online. Please Register or Log in to view the hidden image!