I.e, the ones that give you the system will shutdown immediately warning if you try to end them.
These are the only ones that give me the warning.
Csrss.exe
smss.exe
wininit.exe
I would have thought lsass.exe or winlogon.exe would give these warnings. Why is it that they dont recieve warnings? Is there a complete list of processes that are considered critical like this?
Well I don't know the full list but here's some to get you started.
Two screenshots - the first with critical processes hidden and the second one with critical processes shown.
No critical processes in this screenshot:
The processes that are not highlighted in the screenshot below are critical - at least according to UVK:
Well I am going by task managers list, the ones that bring up the warning. Is it just the 3 i mentioned or should others like lsass do it as well?
Sorry but I don't use task manager to kill proccesses so I never see the warning that you mention. I might use it to close an application though. I tend to use UVK or Process Hacker instead and sometimes Process Explorer.
According to UVK lsass.exe is critical. I see that I missed that one in my earlier screenshot so on that basis you should manually compare the two screenshots - which is what I did but missed one process at least!
NoteEdit: I didn't miss it. I'm just getting slightly confused.
I did some digging. Acording to this article the following applies:
Windows 7 Startup
Quote from the article
Critical processes that must keep running:
Windows has many critical processes that cause Windows to crash if they fail. That is unless Windows has booted in debugging mode in which case the debugger will appear:
System process for the Kernel (NTOSKrnl.exe) !
The Session Manager Sub-System (SMSS.exe) !
Client Server Runtime Sub-System (CSRSS.exe) !
Windows Logon (WinLogon.exe) !
Windows Init (WinInit.exe) !
Windows Logon User Interface Host (LogonUI.exe) for RDP only !
Local Security Authority Process (lsass.exe) !
Service Control Manager (Services.exe) !
Service Host (svchost.exe) with RPCSS or Dcom/PnP !
Desktop Window Manager (DWM.exe) !
plus other optional processes such as performance monitoring ! or Internet Information Server (ISS) !
Last edited by Callender; 01 Jan 2015 at 23:15. Reason: add info
Just tried killing wininit with:
first BSOD everCode:taskkill /im wininit.exe /f.
Now I'm curious to uncover more of these so called 'critical' processes that are protected by task manager (and CMD (exception: the above command)). I couldn't find such a list online... but that does not mean we can't make one...
Callender, I was able to kill each one of those so called critical system processes you've indicated, no probs. -- so we can mark those ones off the list for sure.
A batch file could be utilized to find critical processes; loop through the tasklist, attempt to kill each task and see wheather it was sucessful in doing so.
Might be dangerous. Should I try?
wininit.exe was shown as critical in my second screenshot (not highlighted)
svchost.exe is listed I suppose because it's not safe to kill it without checking which processes are running under each instance.
Personally I wouldn't try anything without a backup - I always have several.
Edit - again!
Just to be clear I've compared what UVK shows in both screenshots and the results show that UVK hides the following processes that it sees as critical:
csrss.exe
lsass.exe
lsm.exe
services.exe
smss.exe
svchost.exe - doesn't apply to every instance
wininit.exe
winlogon.exe
Last edited by Callender; 01 Jan 2015 at 23:29. Reason: add more info
Sorry. My previous post did not account for the one above it; didn't see your second reply there.
Imma try killing some of these critical processes and see what happens.
I'll have to make a backup first. I'll continue to test tomorrow and post back results later in the week, my holiday schedule is packed and I'm losing daylight today. Time sure flies in NY.
Last edited by Pyprohly; 03 Jan 2015 at 22:49.
In Windows 2000 Task Manager recognized a number of processes as critical and would refuse to kill them. That served to protect the processes but had a serious problem. The problem was that the critical nature was based only on the process name. If a malicious process used such a name it could not be killed by Task manager. Not good. There is no 100% reliable way to distinguish a critical process from a malicious one. Any attempted method could potentially be exploited by a malicious process to defend itself. Later systems dropped this feature.
It appears that the feature is back, but this time only as a warning. The user can disregard the warning and kill the process if the account has sufficient rights. If the process is critical the user must accept the consequences, usually a forced reboot.
The "SYSTEM" and "System Idle Process" are very special processes and cannot be killed under any circumstances. A good case can be made that they are not real processes at all. Novices sometimes attempt to kill the System Idle Process under the mistaken belief it has excessive CPU usage.
Some processes belonging to AV software cannot normally be killed. Some malicious software will attempt to kill known AV processes so they need to use advanced methods to defend themselves.
Quote
