7 is a big operating system with an efficient architecture, but its inner world of processes and services can be a confusing place if you’re not used to it.

If you don’t know what you’re looking at, it’s easy for to masquerade as a legitimate process and for legitimate processes to frighten you so much that you kill them, crash the system and lose data.

Then there’s the of your anti-malware protection or Windows popping up warnings about processes needing your permission to access resources. Will accepting the request infect your machine, or worse?

Hierarchy of processes

To work out whether a process is benign or malicious, it’s useful to understand something about the structure of a running installation of Windows 7.

After you power up the PC and it passes its self-tests, the BIOS loads the master boot record from the primary hard disk partition and runs it. This in turn loads and runs the Windows 7 kernel image, which then begins unpacking the other processes it needs help it create all the processes that constitute the OS.

All modern operating systems have a hierarchy of processes. In Windows 7, there are usually three or four top-level processes. One such process is called ‘wininit’, the direct descendent (the process it personally starts running) of which is called ‘services.exe’.

As you might expect, it’s the job of this process to spawn child processes that run as independent services in the background. However, there’s often a degree of confusion that creeps into the user’s mind over this seemingly simple task.

The confusion is that ‘services. exe’ starts multiple instances of a process called ‘svchost.exe’. Search for the term and you’ll find many forum posts from worried users asking if their PC has been taken over by malware and asking how to kill all those multiple processes.

However, it’s normal to have many instances running in parallel, and killing them can harm the running OS. If this happens, you’ll need to reboot and may lose data or even corrupt your hard disk.

The reason there are so many instances of ‘svchost.exe’ is that it acts as a launcher for processes that run from DLLs rather than EXE files. These are apportioned between many instances of ‘svchost.exe’ for efficiency, speed and system resilience.

‘Services.exe’ also starts many other service processes that run directly from EXE files. These include the service portion of your anti-malware products, updaters for third-party products and Windows 7, and services for power management and the Windows Live Sign-in Assistant Manager.

Another process that causes confusion and fear in the minds of users is the innocent ‘Search Indexer.exe’. When the hard disk light stays lit for prolonged periods of time, it’s normal to worry about what’s going on, but it’s usually down to this benign and useful part of Windows 7.

It simply indexes all your files for use in Windows Search. Its index is used when you type in the name of a file in the Start Menu search box and when you search for files in Explorer. It’s even used by Windows 7′s Libraries feature. Another vital top-level process is ‘explorer.exe’. This process runs the Windows 7 desktop and is the mother process for all your running applications, including those that sit in the system tray of the task bar, ready for use.

Improving the view

Traditionally, processes, services and applications are viewed using Task Manager. In Windows 7, it’s started by pressing [Ctrl]+[Alt]+ [Del], then selecting it from the menu.

Task Manager sorts full applications, underlying system processes and services into three tabs, but it doesn’t show you everything. Where are all those ‘svchost.exe’ processes? Task Manager hides a lot from you, and when you’re investigating system activity, this limited view of what’s going on is to be avoided.

fb8932bb5e420 90.jpg How to spot suspicious processes in Windows 7

Instead, a better option is to download and run our old friend Process Explorer , available from Windows Sysinternals author Mark Russinovich. Process Explorer needs no installation. Simply unzip the archive and drag the files into a convenient directory.

To run Process Explorer, right-click its icon and select ‘Run as administrator’. Starting in this way gives Process Explorer more access to important information. Click ‘Yes’ on the ‘User account control’ window that pops up.

If you’re running on a 64-bit CPU, you’ll notice that a second executable suddenly appears in the directory containing Process Explorer. This is called ‘procexp64′, and is a wrapper that the original 32-bit executable creates to satisfy conditions for running on a 64-bit machine. It’s a temporary file and should disappear when you close the running program, though you might have to press [F5] to refresh the directory to see this.

Process Explorer works the same in 32-bit and 64-bit environments. It provides far more detail than Task Manager, and it can manage tasks just as well as the Windows 7 offering.

To begin, click the ‘Process’ column until the display changes to an indented hierarchy. This makes it easy to see which processes are the parents of others. ‘Wininit’, for example, is the ancestor of a large number of processes, including those multiple instances of ‘svchost.exe’. Now we have a better view of the running OS, we can begin to look for malicious processes masquerading as legitimate ones.

With all those svchost processes running, it’s relatively easy for malware to call itself something that will look like ‘svchost’ to the untrained eye. For example, it might call itself ‘svch0st.exe’ (with a zero), ‘svhost.exe’ (without the ‘c’), or any other combination of letters and numbers that attempt to subtly resemble the original file name. These are all malicious impostors.

To make it easier to spot such files, you can click the ‘Process’ column heading until you get an alphabetical listing. To get more details of any process, double-click it. You can verify that the process hasn’t been tampered with or infected by malware by selecting the ‘Image’ tab.

Next to the process’s icon are the words ‘Not verified’. Clicking the ‘Verify’ button verifies the image against a stored signature. Process Explorer uses the running process to generate its own signature and compares the two. If they match, it changes the text to read ‘Verified’. When verifying images, pay particular attention to processes that have no entry in the ‘Company name’ column, those whose description is blank or meaningless, and those whose name is a jumble of letters.

If verifying the image of a seemingly legitimate process produces the message ‘Unable to verify’, don’t panic. It’s likely that the manufacturer isn’t a verified signer of images. Some very old software, like Office 2000, has no signature to check, which will lead to an ‘Unable to verify’ message.

PCP307.make8.bodyimage3 420 90 How to spot suspicious processes in Windows 7

For cases like this, Process Explorer also has a handy feature for checking the validity of any running process by using the knowledge of the wider community of Windows 7 users.

Right-click a suspicious process and select ‘Search Online’. Your web browser will then open and Process Explorer will perform an online search.

One particularly good, authoritative source of information for each process is www.processlibrary.com . If this site is not in the search results, using Search, you can add the phrase ‘site:www.processlibrary.com’ to the end of the search term to just return results from that site.

Another good way of verifying that a process is malware is to examine the path leading to its executable. By double-clicking on a suspicious process and clicking the ‘Image’ tab, you can see the full path to the executable, the options used to start the process, and the working directory it uses.

PCP307.make8.bodyimage4 420 90 How to spot suspicious processes in Windows 7

System directories in Windows 7 are all well protected by default, so any malware will have to use a temporary directory outside of the system area. Any process that isn’t an application you’ve started (or a service related to an application you’ve installed) and which shows a path or working directory outside of the C:Windows directory tree should be treated as possible malware, especially ones that use the ‘Temp’ directory.

Spying on spyware

Discovering what a suspicious process connects to, if anything, is a good way of deciding whether it’s malicious. If a botnet client has infected your computer, it’ll need to phone home to receive orders on a regular basis, for example.

In Process Explorer, double-click the suspicious process, then click the ‘TCP/IP’ tab. To convert the IP addresses listed into DNS names, ensure that the ‘Resolve Addresses’ tick box is selected. Note down any unknown sites and search for them online.

Many of the processes you interrogate in this way will be listening to the local machine. You can tell because rather than the local or remote address being an external DNS name, both will be your PC’s name, a colon, and the port number. Many processes use ports to communicate locally; it’s nothing to worry about.

Sometimes normal processes can go wild and suddenly take nearly 100 per cent of the CPU time. If you have a dual core processor or better, you can still access the system and kill the process using Process Explorer.

It’s a good idea to keep Process Explorer open in the background for a few days to get a feel for what’s normal for your PC based on your typical usage. You’ll see your anti-malware update itself, discover what uses most CPU, see which applications hog your memory and much more.

You can also add columns to the display by right-clicking a column heading and selecting ‘Select columns’. The range of columns covers memory, disk and network use, threads, DLLs and even .NET components.

Read the original here:
Tutorial: How to spot suspicious processes in Windows 7