RSS

Encumbered in Services and Processes

This entry was posted on Jan 22 2009 by Samuel

For as long as I can remember, every version of Windows has enabled me to see what processes are running, except maybe Windows 3.11. As I continued to use Windows over the years, Control + Alt + Delete evolved into a useful tool, executing taskmgr.exe, showing more than the simple “Close Program” dialog box of the Windows 98 era. It became easy to identify what services were necessary (by simply running services.msc and checking what was set to Automatic, Manual or Disabled) and what processes shipped with Windows and what were running as after-market installations.

Essentially, I memorized what processes are “supposed” to be running, what are necessary and what are not. For example, I usually terminate qttask.exe because it isn’t absolutely necessary and it just takes up CPU threads that could be doing something else. Identifying what processes are supposed to be running is of deep-rooted importance to me because it gives me a sense of security of the system I am running. Aside from rootkits using advanced virtualization-style hijacking (permenant archive) techniques, identifying the processes enables me to know whether the system is compromised at-a-glance.

Back in the Windows 3.11 days, I did not have an anti-virus solution of any kind, however I downloaded all sorts of executables and even programmed a few oldschool “proggies” of my own. Because I didn’t run any anti-virus software, I scanned executables manually using a hex editor — while this wasn’t a perfect solution by any means, most software was relatively simple back then so I could readily identify a password stealer or trojan horse by simply digging through the hex line by line. Using a hex editor to identify viruses and other malicious software worked fine back then, but would be an impossibility now.

Another interesting fact about older systems was that if you pressed Control + Alt + Delete on a Windows98 machine, and it didn’t respond, you could check if it was terminally crashed by pressing Control + Alt + End, if the system emitted a PC Speaker single “beep” at you, then you knew the system was still active and would eventually regain stability and if you heard no audible beep, then the system was most likely done and you’d have to force shut it down.

Anyhow, with 2000/NT and XP I was able to quickly and easily identify whats services and processes were supposed to be running; so when I came across a new computer to diagnose, I could see what foreign processes needed to be identified and look them up accordingly.

This ease-of-identification process has ended with Vista. Now, when I bring up the Task Manager or Services list, there is such an immense amount of processes running that I have mentally given up keeping track of what is “okay” to be running and what isn’t. I continue to use the Windows Defender software explorer feature to disable certain applications from starting up, but that is the extent of my process-checking for the most part with Vista.

In my experiences, the average (OEM) Vista installation seems to have well over 80 processes which is a frighteningly high number. Even as I remove programs and block startup processes, however, that number doesn’t dwindle all that much. Vista is a fantastic operating system and comes highly recommended over XP, however, if you intend to track processes you’ll have to use something like Process Explorer.

I don’t particularly mind not being able to look over every single process in Vista, because I know it is inherently much more secure than XP and more difficult to penetrate, thanks to the inclusion of Windows Defender, sandboxing, firewall improvements, etc., it’s easier to lock down and secure the system anyway. So, on the one hand it’s nice to not think about it all the time, and on the other hand I feel like I am relinquishing too much control over to the OS.

admin@variableghz.com

Post a Comment