Guy’s Best Practice & Litmus Tests Ezine #20 – Task Manager
Suppose that one of your machines was ‘playing up’, where would you turn for assistance? Event Viewer, built-in help, TechNet? I suggest that Task Manager would be a good place to start looking for clues
Flashy Method to Launch the Task Manager
The Task Manager has been around for at least 10 years, so your Vista, XP or even 2000 Pro machine will have the interface for you try my challenges. If your left hand has a big reach then you may like to launch the Task Manager using the shortcut keys: CTRL +Shift +Esc. Alternatively, try CTRL +Alt +Del and click Task Manager. (Start Menu, Run taskmgr would be my other suggestion)
Set Task Manger’s Preferences
Before using any program in earnest, I like to set the preferences; with Task Manager I like to remove the tick which says, ‘Always on top’. (Option Menu). Many, many years ago I fell for the trap of carelessly double clicking inside Task Manger, and as a result the top menu with File, Option, Help disappeared. I could not figure out what happened until I double clicked near the top, and lo and behold the menu reappeared. It was a greenhorn mistake; I mention it because there are about 3 or 4 other Microsoft programs that display the same menu behaviour.
You have probably called up the Task Manager many times so that you can zap programs that are not responding. If you are in charge of other users, why not send them an email explaining or reminding them how to use this tab? Our hidden agenda is to save you work in sorting out other people’s problems.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
Task Manager Litmus Test:
Professionals: Are familiar with the Task Manger in general, and the Process Tab in particular. Experts know the significance of each Image Name.
Amateurs: Complain that Image Names are too difficult to understand. Beginners never look further than the Application Tab.
Get to know the Task Manager Processes
My goal is to help you play ‘spot the impostor’. By that I mean you can detect viruses, worms or Trojan horses in Task Manager. It almost goes without saying that a good virus checker should detect and quarantine such maleware. However, every time I have been infected, my virus checker has lagged behind in issuing an update that could deal with the infection.
Through scanning the Image Names you can home in on a suspicious maleware program that has sneaked into your system. Once you see a program that should not be there, then you not only will you ‘End Process’, but also, you will research where the impostor came from. The interloper may have been installed through Add or Remove programs; however the really naughty programs hide their tracks, so search the registry for suspicious names in the Image list. Another rich source of information is Google, the chances are that if it is a virus, then a search for the Image Name will produce proof to condemn the process.
So much for the baddies, now for the good guys in the Process tab Image names. Here are list of the key Image names.
CSRSS – Client Server Sub System, this process IS the Windows shell.
LSASS – This is the Local Security Authentication Sub System, which is responsible for the Logon Box.
Winlogon – Only comes alive when you press CTRL +Alt +Del.
SMSS – Session Manager.
Services – As the name suggests this controls all those Services like Workstation, Alerter or FTP.
System Idle Process – In my view the system cannot bear to be idle, so rather like an engine on tick-over, Windows 2003 runs this process when nothing else needs the CPU.
My list of Image names is meant to kick-start your interest. I am sure that there will be other Image names that you can easily recognise, for example, spoolsv, explorer and system.
Back to the main task of identify rogue programs. What would think if you saw Avgserv and Agvcc32 amongst the image names? I must admit my heart missed a beat, I thought my machine has been infected by a virus, but no, it was actually my virus checker which had installed itself as a process. Naturally I left that running!
How about msblast.exe? Was this a game that my nephew installed? Well I tried a search in Google and up came W32/BlasterA virus. Here was a case where I needed to check the registry as the blaster virus cunningly re-infects those who are not diligent. Other viruses have more innocuous names like Tlntsvr.exe and Wina.exe, so this is why you need to get to know the regular image names.
Svchost.exe looks suspicious, moreover it seems to have replicated itself already, but no, svchost is merely a shell for your services. There are at least 20 services like DHCP, WINS, Terminal Services and Alerter. Now it turns out that some of these services would fight each other, Windows 2003 knows this and separates services that cannot co-operate by creating multiple svchost.exe shells. Again I make the point that if you study these image names you are rewarded by greater knowledge of Windows or XP and a smoother running machine.
As this week’s bonus I have a program called Tlist.exe (Task List). Remember my question when you see any new tool; ask where does this utility come from? The answer for Tlist is that its part of the Windows 2000 resource kit, or else you can download it here. For our needs try Tlist -s which lists the services and their processes.Download Tlist
It’s funny how you have to keep on learning to get the most out of a utility. The extra work needed here is to persuade the process tab in Task Manager to display the PID (Process ID). How do you get this unique PID number to appear? In Task Manger, select the View menu, then select columns and check PID (Process Identifier) Now when you go back and run Tlist -s you can match the PID in the ‘Dos Box’, with the PID in Task Manager.
Lots of useful Windows shutdown and hibernate articles