Guide to Processes

What are Processes?

Process is one of the core terms in operating systems. The simplest but very precise explanation is that a process is a program in execution, a running instance of a program. In the theory of operating system there are several states of a process, like running, blocked, terminated etc. but this is too much detail for somebody who is just eager to be able to monitor what is going on on his or her computer. (For those, who are interested in more detail, Operating Systems: Design and Implementation and Modern Operating Systems by Andrew Tanenbaum are an excellent source of indepth information about processes and operating systems as a whole.)

Modern operating systems can run simultaneously many processes, though actually at any given point of time only one process has the processor at its disposal. The other processes are waiting for their turn to come and that is why when you look at the processes on your computer, you might see a long list of the processes that are running. With dual core processors there are two processes that can execute simultaneously but still this does not change the fact that there is one (or two) processes that are executing and a dozen of others that are waiting to be given the processor.

Many operating systems allow processes to be divided further – into threads. For example, Program A is running as a Process A and Process A has the following threads – A1, A2, A3, etc., all of which execute subtasks that are related to the execution of Program A. Threads are dependent on the process that started them and when the process terminates, they terminate as well. Process management is one of the basic activities of operating systems and when a process consumes too much CPU power, this slows down the whole system, so in order to free some resources, one or more processes is terminated.

When processes are forcibly terminated, this often results in loss of data but given the choice between a hung system and a killed process, loss of data might be acceptable. There are processes that can’t be terminated because their execution is vital for the functioning of the whole system. Also, killing processes arbitrarily is a bad idea (even if the operating system allows to kill a process of your choice) and the right approach to killing processes is first to identify which is the program that started the process, what resources are used by it and then to proceed with termination. Killing the bad guys, i.e. processes is described in the last section of this article.

Windows Processes

After the brief explanation of what processes are, let’s see how this relates to Windows. Windows, as most of the modern operating systems, supports multitasking and multithreading and when you click CTRL+ALT+DEL to bring up the Task Manager, you will see something like this:


You see an Image Name column, where all processes for the currently logged in user are listed (if the Show Processes For All User checkbox were checked, this list would have listed processes from all users), the name of the user who owns the process and data like the CPU and Memory usage of the particular process. Some of the process names are pretty self-explanatory (firefox.exe) but others are a bit cryptic. Don’t worry that you can’t guess what a particular Image Name stands for – there are good online references, like http://www.processlibrary.com or http://www.what-process.com/lists.aspx, where you can check a given process to which program belongs.

However, it does not hurt to know the names of a couple of the essential Windows processes. There might be differences in the list of essential Windows processes for the various versions of Windows but basically the major ones are as follows:

  • System Idle Process
  • explorer.exe
  • winlogon.exe
  • svchost.exe
  • lsass.exe
  • services.exe
  • spoolsv.exe
  • smss.exe
  • csrss.exe
  • taskmgr.exe

Usually several instances of Svchost.exe are running. This is pretty normal because not all of them will be owned by the same user. What is not normal is that the same process – svchost.exe – has been registered both as a legitimate Windows process and as a trojan and backdoor. But more on this later. Svchost is a system process, which handles processes executed from DLLs. This is one of the most important processes in Windows and if you terminate it, your computer will become unstable. I am not going to explain all the processes here, so if you are interested in learning more about them, go to http://www.processlibrary.com or http://www.what-process.com/lists.aspx, the lists there are really good.

I have used words like important and essential to describe the processes. Yes, not all processes are equal but this does not mean that you can’t make one process more important than another. You can prioritize processes, giving the most important processes a higher priority. By default all processes have a Normal priority but if you are running a very special program that requires more processing power or it is important to be given the processor immediately when needed, you can change its priority from Normal to Realtime, High, or Above Normal. Alternatively, if you would like a given process to have a lower than the normal priority, select Below Normal or Low. Setting priorities is done when you right-click the process in the Image Name column and from the context menu select Set Priority. From the list of priorities, choose the desired one. You can change the priority for most of the processes (System Idle Process is one of the few exceptions because it is a vital process that users shouldn’t be allowed to mess up with its priority).

If you deep to get more indepth data about a particular process, for instance to see the whole process tree, the threads in the process, its network connectivity, or handles and DLLs, Windows Task Manager will not be useful. Instead, you can download for free a nice program – Process Explorer by Mark Russinovich and see all this and a lot more information about the processes on your computer.

Killing the Bad Guys

When you right-click a process in the list of processes, you see the End Process and End Process Tree commands. Choosing the first one terminates the process and the second – the process itself, together with all of its descendants. You get a warning that terminating a process that way might cause system instability but if your are killing a program that is not responding anyway, you might actually gain some system stability (or at least processor time). Actually, killing a process through the Windows Task Manager is worth only if the program has hung and you need to free resources.

Browsing through the processes in Windows Task Manager might also give you a clue if you have viruses, spyware, adware and other types of malware on your computer. If you notice a strange process in the list of processes, check it to see which program it belongs to and if it is malware, take the appropriate measures (i.e. launch your antivirus or spyware program).

However, have in mind that the fact that you don’t see any suspicious processes in the list of processes does not mean that your computer is clean because most of the advanced malicious programs are written in a way that allows them to remain hidden and they will hardly show themselves in the processes list. Most often malicious code is hidden behind perfectly legitimate processes or uses the same name (the example with svchost.exe) as a Windows service or a popular program and it is not likely that you will get an alert by seeing it in the processes list of Windows Task Manager. But even if the malicious program shows in the list, stopping the process will not remove it from your computer. You need to take additional measures to clean it completely. Still, occasionally having a look at what processes are running at your computer is a good habit to pick!

Posted in System | Tagged , | Comments Off