 |
 Securing your Windows XP vol. 1
April 4, 2005 - Part II
by Andrew Cooper
2. Controlling which programs are running
Although Microsoft's introductory textbooks to Windows XP state that the running applications are shown on the Windows Taskbar, this is actually only half-true. Many running (or active) programs are hidden from the user's eye and instead are being run in the background.
Taking advantage of the situation where a user cannot clearly see what's working on his/her computer are scores of pests, malware, and viruses that run their hostile codes in disguise. It's no wonder they cause so much pain to the unsophisticated Windows owner, who cannot clearly identify unwanted applications and close them promptly. The standard user interface simply doesn't provide for this.
Hidden deep inside Windows is a small utility called Windows Task Manager. Invoked by a combination of Ctrl, Shift and Esc keys, it lists all the programs (processes) currently active and lets folks easily terminate the unwanted.
The Applications tab lists programs that are currently working, while the Processes tab gives further information and explains at length which processes have been started, how many resources they're consuming, and so forth.
From that window, you can sort the working processes by name, memory consumption, processor load, or other parameters. A practical way to end, or "kill", a process is represented by the "processes" window. By Right-clicking on a process and selecting "end process", a user can stop any unneeded application or service.
But before ending a task, pause for a minute and collect necessary information about the program you're going to end. Normally, you don't need to terminate running processes from within the Task Manager window unless you're absolutely certain it's unintended and cannot be stopped from elsewhere. Ignorantly killing a legitimate, intended application or an important Windows service may render your entire system totally unworkable in your current Windows session, or result in the loss of data or an unsaved work.
Although high risk of parting with an important information is involved, a deliberate, savvy and intelligent approach to terminating the superfluous application can work wonders for your system and not only free up more system and processor resources, but kill a destructive element thriving on your system.
To help you define which programs these processes seen in a Task Manager window truly represent, there are plenty of Internet resources to turn to; from a simple Google search into on executable's name, to this dedicated resource:
www.processlibrary.com, you can get all the extensive information required to "map" a process in question.
Additionally, processes with names such as smss.exe, csrss.exe, winlogon.exe, lsass.exe, svchost.exe, spoolsv.exe, mdm.exe, alg.exe, ctfmon.exe are proprietary Windows programs and are being initiated by the OS itself, so they are better left alone.
The problem with Windows Task Manager is that it doesn't list the original location from which the processes are launched, making the verification of malicious elements a more challenging task. Hence, a malicious program could easily trick the Task Manager into displaying its name as that of a legitimate Windows program by "scooping" the legitimate program's name and launching itself from a different location. Despite the fact that the name of the program is listed on Task Manager and corresponds to the "benign" program, any nefarious element can impersonate itself and mislead the user who relies solely on the name of a program when evaluating its appropriateness. Just as a "proof-of-concept" example, I copied the Notepad program onto c:\ and renamed the executable's name to alg.exe and launched it. Windows Task Manager shows two alg.exe's on its list, the second of which is actually a Notepad program.
So, for users who wish to have more "fruitful" information concerning the location from which the process had been started, they need to download some type of third-party software such as Far Manager (free) or the WinTasks (commercial) program. Below is a screenshot of the information from the Far's processes list window on the alg.exe:
Everything is clear: alg.exe was started from c:\ and had had a description of "Notepad", a common Windows program.
One last word about programs that are active on your computer: the fewer of them you have running while your computer is connected to the Net, the better it is for the security of your computer. Since working programs dwell in your computer's system memory and this memory is shared universally among all the rest of the working programs, a security hole in one program could spill over into the rest of its "co-workers", compromising the entire system.
Read next:
Continue to Part III
Back to Part I
|
|
