New
#1
Unravelling CSRSS.exe and the new process architecture of Windows 7
One of the things I first noticed in Windows 7 is how now there are many "hidden" processes not shown in the normal tab of Task Manager, and instead lumped into the "Services" tab yet still somehow connected or underneath the 'umbrella' of other processes. I used to know all the processes that run in Windows, and which I could kill and which I couldn't. After this Services tab I've kinda given up on that due to the sheer number.
I hope to help change that with this thread. Finally deciding to create a whitelist in my head of these Services like I used to have for all Windows processes. The first problem I'm noticing is that if a service is loaded under a critical process (like CSRSS.exe), then there is no obvious way to kill it. What is the way around this?
This seems like a huge security vulnerability, because what if a virus installs to being under the 'umbrella' of CSRSS.exe? There is an anti-cheat program called PunkBuster that is needed to play games like Battlefield 3. I noticed that PnkBstrA is part of the CSRSS.exe
I decided to reinstall this game tonight, as well as Punkbuster and Origin. (both software related to this game only for me) After uninstalling all 3 software, deleting all related folders from my HD, and deleting all leftover registry keys related to them and parent companies I noticed PnkBstrA was somehow STILL running! I hit Stop process, nothing. I hit Go To Process, and it took me to CSRSS.exe ... well darn. I know from experience you can't kill CSRSS.exe and expect Windows to keep running.
I'm amazed at this, I did not think it was possible for anything to survive in Windows after uninstall, file delete, registry key delete...
Anyways, I was already 15 minutes into downloading the game files when I noticed this so I'm going to have to just hope its a "clean" re-installation and overlook this. Mainly posting this out of curiosity and hoping to pick up a couple of pointers that might help me in the future manually remove advanced viruses that take advantage of this vulnerability.
TL;DR: How can you kill a non-windows 7 service that has itself injected into an essential windows 7 service? (other than via taskmgr since that doesn't always work correctly)
Last edited by joe7dust; 06 Dec 2011 at 03:42.