what processes are considered by task manager to be critical

All you need to do for task manager is

Select end process and see if this warning:

http://www.betaarchive.com/imageuplo...5.or.69639.png

I was worried if something malicious was going on as a common test whether something is malicious is to test an important process to see if it gives that warning, but I cant find a list of which ones do, only the ones I mentioned have done so, no svchost or winlogon.

I don't see how this method would be very useful in detecting malicious processes. This is a simple test if the process is a critical system process and even that cannot be 100% reliable. Detection of malicious processes is entirely different and Task Manager doesn't even try to do that. And many malicious processes are fully capable of hiding themselves from Task Manager and similar utilities. Malicious software has become highly sophisticated in recent years and is often very difficult to detect.

Well to be more clear, to see if a process like csrss.exe is legit and not a false one, I understand it would not work with others, I am simply trying to find out which ones should.

Callender said:

Let us know how you get on.

Okay, if you really insist to know now ...

Callender said:

[...] probably a better way to approach the problem rather than randomly killing processes to see what happens.

I did exactly the above -- just for good measure ...

Using a batch script to forcibly terminate each of my running processes in alphabetical order, I was able to find processes that CMD (more accurately taskkill.exe) refused to kill, and also find processes that successfully terminate but its absence leads to system instability either one way or another.

The descriptions at the top of each list and way the lists are divided are based off the behaviour of the standard taskkill.exe tool supplied with a Windows 7 install. Error messages thrown by Taskkill will be used to determine a critical process.

For the sake of fun and curiosity, after finding all the critical processes I could with Taskkill, I have gone ahead and killed each one of the critical processes with a separate downloaded tool: PsKill, which is more unrestricted in that it kills any process one specifies to it; no questions asked (some exceptions found). I've added a brief description of the immediately observable consequences of doing so next to the respective names of each of the processes.

Note: there may be multiple instances of a critical process running at one time. Only one will be mentioned if the case.


List 1: Below is a list of processes Taskkill will not kill due to "Reason: This is critical system process. Taskkill cannot end this process":

"csrss.exe" - BSOD
"smss.exe" - BSOD
"System Idle Process" - Unable to kill due to "Process does not exist."
"winlogon.exe" - Immediately logs the user off, rather violently


List 2: A list of processes that Taskkill will not terminate because of "Reason: Access is denied" even while logged in as Administrator; and even while logged in as System for that matter! (access is always denied). These processes may not be considered critical:

"audiodg.exe" - No observable differences when killed
"MsMpEng.exe" - Unable to kill due to "Access is denied."
"NisSrv.exe" - Unable to kill due to "Access is denied."
"System" - Process immediately restarts itself; no observable differences


List 3: A notable list of processes that can be killed by taskkill but leads to system instability.

"lsass.exe" - Alert box appears with the message "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now"; this restart cannot be aborted with 'shutdown -a'
"lsm.exe" - Ditto as above
"services.exe" - Ditto as above
"svchost.exe" - Windows reverts to a basic theme
"wininit.exe" - BSOD


If the definition of a 'critical process' is a process that Task Manager deems to be unsafe to kill and raises a special warning box for the process when a user attempts to end one, then only the three following processes satisfy the definition:

"csrss.exe"
"smss.exe"
"wininit.exe"


Should an attempt be made by the user to end any of three processes above via Task Manager, a warning message occurs reading: "Ending this process will shut down the operating system immediately. You will lose all unsaved data. Are you sure you want to continue?", making the user very aware of what they are about to do, as a check box and a button press are required to 'continue'.

Keyes said:

I would have thought lsass.exe or winlogon.exe would give these warnings

Notice how the processes that do give the special warning, they all cause Windows to collapse into a blue screen if they're killed. It's from this observation, we could say that lsass.exe and winlogon.exe don't give these same warnings because killing either one of these will not bring about instant data loss. Windows gives a minute for the user to save any data should lsass or Winlogon somehow die.

Command prompt wise, most critical processes are unable to be killed with standard CMD commands. The only critical process that is able to be killed via the standard 'builtin' command taskkill.exe, that will cause a BSOD, is wininit.exe. Even though Wininit is guarded by that special warning message in Task Manager, Taskkill will happily kill the critical process if directed to, unlike other BSOD generating processes when killed, strangely.

Somebody at Microsoft forgot to whitelist Wininit as critical in the Taskkill application, perhaps. Killing Wininit has got to be the nicest and easiest method to see a blue screen nonetheless; I reckon they should leave it kill-able in future.


All critical processes I have managed to find, though, have already been mentioned here in prior posts within this thread.

Final thing worth noting: Renaming any odd application to the same name as a critical process will NOT be treated as if critical by Task Manager.


I hope this post provides the final pieces of information you are after, Keyes. There are enough lists in this thread that answer the initial question.

Keyes said:

Is there a complete list of processes that are considered critical like this?

There are only 3, and you've found them, right from post 1.

Consider marking this thread solved.

Using any warnings put up by Task Manager when trying to kill a process doesn't seem a very reliable indication of it's legitimacy. Wouldn't it be better to check the command line of any suspect process (easily done with an elevated admin account)? If the location is correct the process is probably legitimate. But there are no guarantees when dealing with malware. If the location is incorrect it is almost certainly illegitimate. Using Process hacker to check signatures is an even better idea.

But none of these methods are even close to being foolproof. Modern malware is quite capable of evading such methods. Even hiding itself from being listed or manipulating displayed data isn't particularly difficult.

LMiller7 said:

Using any warnings put up by Task Manager when trying to kill a process doesn't seem a very reliable indication of it's legitimacy.

It doesn't. I'm sure we all agree with your words, Miller, that Task Manager is not suitable for detecting malicious processes, or anything of the like.

LMiller7 said:

Wouldn't it be better to check the command line of any suspect process (easily done with an elevated admin account)?

I don't understand, how's this "easily" done? Would you care to eliminate vagueness by the word 'check' in that statement and demonstrate for us what specifically you mean by this?

LMiller7 said:

[T]here are no guarantees when dealing with malware.

~ LMiller7, 2015

Anyone wishing to make maximum use of Task Manager would do well to investigate all of the options available. in the View menu select "Select Columns". One important one is "Command Line". "Show processes from all users" will run Task Manager elevated (if you are running with an admin account).