Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: what processes are considered by task manager to be critical

02 Jan 2015   #11
Keyes

Windows 7 Home Premium 64 bit
 
 

All you need to do for task manager is

Select end process and see if this warning:

http://www.betaarchive.com/imageuplo...5.or.69639.png

I was worried if something malicious was going on as a common test whether something is malicious is to test an important process to see if it gives that warning, but I cant find a list of which ones do, only the ones I mentioned have done so, no svchost or winlogon.


My System SpecsSystem Spec
.
02 Jan 2015   #12
LMiller7

Windows 7 Pro 64 bit
 
 

I don't see how this method would be very useful in detecting malicious processes. This is a simple test if the process is a critical system process and even that cannot be 100% reliable. Detection of malicious processes is entirely different and Task Manager doesn't even try to do that. And many malicious processes are fully capable of hiding themselves from Task Manager and similar utilities. Malicious software has become highly sophisticated in recent years and is often very difficult to detect.
My System SpecsSystem Spec
02 Jan 2015   #13
Keyes

Windows 7 Home Premium 64 bit
 
 

Well to be more clear, to see if a process like csrss.exe is legit and not a false one, I understand it would not work with others, I am simply trying to find out which ones should.
My System SpecsSystem Spec
.

02 Jan 2015   #14
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Check signature

Quote   Quote: Originally Posted by Keyes View Post
Well to be more clear, to see if a process like csrss.exe is legit and not a false one, I understand it would not work with others, I am simply trying to find out which ones should.
Usually I just check the signature of processes even if they've got legitimate file names. Unsigned ones could be malicious (but not always the case) especially if they're running with the same name as a system file.

Edit:

Ways to check processes.

Prio (Task Manager add on) highlights unsigned processes in red.

what processes are considered by task manager to be critical-task-manager.jpg

Process Explorer checks running processes against VirusTotal and can do a lot more than task manager.

what processes are considered by task manager to be critical-process-explorer.jpg

Process Hacker can be configured to show unsigned processes and can do a lot more than task manager.

what processes are considered by task manager to be critical-process-hacker.jpg

SigCheck GUI can check signatures of all running processes and check against VirusTotal or just scan any file(s) or folder(s) specified:

what processes are considered by task manager to be critical-sigcheckgui.jpg

The above is probably a better way to approach the problem rather than randomly killing processes to see what happens.

Let us know if you want to use any of the above and someone will post download links.


My System SpecsSystem Spec
04 Jan 2015   #15
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Quote   Quote: Originally Posted by Callender View Post
Let us know how you get on.
Okay, if you really insist to know now ...
Quote   Quote: Originally Posted by Callender View Post
[...] probably a better way to approach the problem rather than randomly killing processes to see what happens.
I did exactly the above -- just for good measure ...

Using a batch script to forcibly terminate each of my running processes in alphabetical order, I was able to find processes that CMD (more accurately taskkill.exe) refused to kill, and also find processes that successfully terminate but its absence leads to system instability either one way or another.

The descriptions at the top of each list and way the lists are divided are based off the behaviour of the standard taskkill.exe tool supplied with a Windows 7 install. Error messages thrown by Taskkill will be used to determine a critical process.

For the sake of fun and curiosity, after finding all the critical processes I could with Taskkill, I have gone ahead and killed each one of the critical processes with a separate downloaded tool: PsKill, which is more unrestricted in that it kills any process one specifies to it; no questions asked (some exceptions found). I've added a brief description of the immediately observable consequences of doing so next to the respective names of each of the processes.

Note: there may be multiple instances of a critical process running at one time. Only one will be mentioned if the case.


List 1: Below is a list of processes Taskkill will not kill due to "Reason: This is critical system process. Taskkill cannot end this process":

"csrss.exe" - BSOD
"smss.exe" - BSOD
"System Idle Process" - Unable to kill due to "Process does not exist."
"winlogon.exe" - Immediately logs the user off, rather violently


List 2: A list of processes that Taskkill will not terminate because of "Reason: Access is denied" even while logged in as Administrator; and even while logged in as System for that matter! (access is always denied). These processes may not be considered critical:

"audiodg.exe" - No observable differences when killed
"MsMpEng.exe" - Unable to kill due to "Access is denied."
"NisSrv.exe" - Unable to kill due to "Access is denied."
"System" - Process immediately restarts itself; no observable differences


List 3: A notable list of processes that can be killed by taskkill but leads to system instability.

"lsass.exe" - Alert box appears with the message "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now"; this restart cannot be aborted with 'shutdown -a'
"lsm.exe" - Ditto as above
"services.exe" - Ditto as above
"svchost.exe" - Windows reverts to a basic theme
"wininit.exe" - BSOD


If the definition of a 'critical process' is a process that Task Manager deems to be unsafe to kill and raises a special warning box for the process when a user attempts to end one, then only the three following processes satisfy the definition:

"csrss.exe"
"smss.exe"
"wininit.exe"


Should an attempt be made by the user to end any of three processes above via Task Manager, a warning message occurs reading: "Ending this process will shut down the operating system immediately. You will lose all unsaved data. Are you sure you want to continue?", making the user very aware of what they are about to do, as a check box and a button press are required to 'continue'.


Quote   Quote: Originally Posted by Keyes View Post
I would have thought lsass.exe or winlogon.exe would give these warnings
Notice how the processes that do give the special warning, they all cause Windows to collapse into a blue screen if they're killed. It's from this observation, we could say that lsass.exe and winlogon.exe don't give these same warnings because killing either one of these will not bring about instant data loss. Windows gives a minute for the user to save any data should lsass or Winlogon somehow die.

Command prompt wise, most critical processes are unable to be killed with standard CMD commands. The only critical process that is able to be killed via the standard 'builtin' command taskkill.exe, that will cause a BSOD, is wininit.exe. Even though Wininit is guarded by that special warning message in Task Manager, Taskkill will happily kill the critical process if directed to, unlike other BSOD generating processes when killed, strangely.

Somebody at Microsoft forgot to whitelist Wininit as critical in the Taskkill application, perhaps. Killing Wininit has got to be the nicest and easiest method to see a blue screen nonetheless; I reckon they should leave it kill-able in future.


All critical processes I have managed to find, though, have already been mentioned here in prior posts within this thread.

Final thing worth noting: Renaming any odd application to the same name as a critical process will NOT be treated as if critical by Task Manager.


I hope this post provides the final pieces of information you are after, Keyes. There are enough lists in this thread that answer the initial question.
Quote   Quote: Originally Posted by Keyes View Post
Is there a complete list of processes that are considered critical like this?
There are only 3, and you've found them, right from post 1.

Consider marking this thread solved.
My System SpecsSystem Spec
04 Jan 2015   #16
LMiller7

Windows 7 Pro 64 bit
 
 

Using any warnings put up by Task Manager when trying to kill a process doesn't seem a very reliable indication of it's legitimacy. Wouldn't it be better to check the command line of any suspect process (easily done with an elevated admin account)? If the location is correct the process is probably legitimate. But there are no guarantees when dealing with malware. If the location is incorrect it is almost certainly illegitimate. Using Process hacker to check signatures is an even better idea.

But none of these methods are even close to being foolproof. Modern malware is quite capable of evading such methods. Even hiding itself from being listed or manipulating displayed data isn't particularly difficult.
My System SpecsSystem Spec
04 Jan 2015   #17
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Solved

Quote   Quote: Originally Posted by Pyprohly View Post
Quote   Quote: Originally Posted by Callender View Post
Let us know how you get on.
I hope this post provides the final pieces of information you are after, Keyes. There are enough lists in this thread that answer the initial question.
Quote   Quote: Originally Posted by Keyes View Post
Is there a complete list of processes that are considered critical like this?
There are only 3, and you've found them, right from post 1.

Consider marking this thread solved.
Thanks for the effort and the detailed info.
My System SpecsSystem Spec
04 Jan 2015   #18
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Quote   Quote: Originally Posted by LMiller7 View Post
Using any warnings put up by Task Manager when trying to kill a process doesn't seem a very reliable indication of it's legitimacy.
It doesn't. I'm sure we all agree with your words, Miller, that Task Manager is not suitable for detecting malicious processes, or anything of the like.

Quote   Quote: Originally Posted by LMiller7 View Post
Wouldn't it be better to check the command line of any suspect process (easily done with an elevated admin account)?
I don't understand, how's this "easily" done? Would you care to eliminate vagueness by the word 'check' in that statement and demonstrate for us what specifically you mean by this?


Quote   Quote: Originally Posted by LMiller7 View Post
[T]here are no guarantees when dealing with malware.
~ LMiller7, 2015
My System SpecsSystem Spec
04 Jan 2015   #19
LMiller7

Windows 7 Pro 64 bit
 
 

Anyone wishing to make maximum use of Task Manager would do well to investigate all of the options available. in the View menu select "Select Columns". One important one is "Command Line". "Show processes from all users" will run Task Manager elevated (if you are running with an admin account).
My System SpecsSystem Spec
04 Jan 2015   #20
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

All processes that run should be left alone. You never know what exactly they do. E.g. if you disable defrag, you cannot shrink a partition in Disk Management. Or in Vista - if you disable Tablet PC, you get no snipping tool. Who would have thunk.
My System SpecsSystem Spec
Reply

 what processes are considered by task manager to be critical




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Task Manager not showing relevant processes.
When I start the task manager to end a process it comes up with a bunch of processes and I can't find the one (like MS word for example) that I wish to end. Any help is much appreciated. Thanks
General Discussion
Unwanted task manager processes
hi guys, I checked my task manager, I have like 12 svchost.exe running and one of them is hogging memory. They exist since I format my harddrive last week so I don't think infections have anything to do with them. Anyways I still run a full scan with avg and no suspicious result return. I...
Performance & Maintenance
How do I copy my running processes in task manager
I have tons of processes currently running in my task manager, some are duplicates or more. How do I make a copy of everything that is currently running?
Performance & Maintenance
Task Manager not killing processes!!
I don't know what it is but this has been an ongoing problem for me with win7 x64 when I shut down an application or one crashes the program seems to close but is still running in task manager. For instance firefox does this all the time the current release and priors, I'll close it and then reopen...
General Discussion
task manager processes
after some extensive scans with Prevx & Microsoft security essentials They've come back with the all clear. However after some virus troubles, there are some processes left I'm rather suspicious of. I've done checks on them with free online scanners but I'm still left unsure. processes...
System Security
why does task manager show more processes with uac off?
if i turn uac off i see much more processes in taskmanager compared to the off setting . but i still use the same account. is there a way to see "all" processes in taskmanager even if uac is on? what is this whole thing about and where can i find more info about this topic? thanks alot...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 16:51.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App