System Processes: What’s Going On Behind The Scenes

As avid computer users, we tend to expect our systems to be able to perform much like we perform. If we can listen to music, write an email, and surf the Internet all at once, then our computer should be able keep up, right? Managing multiple tasks at once is nothing new for computers, but if your computer starts struggling to run just a handful of applications, then it may be swamped with too many system processes running in the background. System processes consist of a number of hidden applications that run in the background without your immediate knowledge. More than a dozen valid system processes load and begin running every time you start your computer. Even more start as they become necessary, like when you start browsing the Internet or launch a program such as Microsoft Word. You need some system processes for certain things on your computer to work properly. For instance, the Explorer.exe system process is responsible for the Windows visual interface items such as the Start menu, Taskbar, Desktop, and File Manager. Not all system processes are created equal, however. Some are merely optional and consume valuable CPU cycles needlessly. Some of these processes are utterly useless adware and spyware, which can gather and broadcast information about your Web viewing habits. Other items have even more sinister purposes; crackers can use some system processes to hijack your computer. You can attempt to turn off these processes, but typically you’ll have to resort to an antivirus application to get rid of the pesky CPU hogs once-and-for-all.

Take A Peek

To see a list of processes in Windows 2000/XP, press CTRL-ALT-DELETE, click Task Manager, and then select the Processes tab. Windows lists the processes with the Image Name in the far-left column, followed by the name of the initiating user, the amount of CPU time the process is using, and the amount of memory the process is consuming. To stop a process, select the item from the list and click the End Process button in the bottom-right corner of the Windows Task Manager. Ending unnecessary processes can be a quick way to boost your PC’s performance, but ending necessary processes can “break” certain applications, and even make your computer unusable until you restart the process or restart the computer. Some necessary processes can’t be ended, and for good reason. The list on the following pages gives you an overview of some of the more
common system processes and application processes, as well as some of the less common hardware-related background processes.

Alg.exe

The Alg.exe system process refers to Microsoft’s Application Layer Gateway Service, which is necessary if you use Microsoft’s Windows Internet Connection Sharing or the Internet Connection Firewall. If the process is running, then you probably need it, as ending it may adversely affect your computer.

Ati2evxx.exe

Ati2evxx.exe is a hardware-related background process that maintains the ATI Display Adapter Assistant. You may see this process in your Task Manager if you have an ATI graphics card. This process lets you configure your display settings but is not a vital
Windows process.

Csrss.exe

This system process is part of the Microsoft Client/Server Runtime Server Subsystem, which handles a majority of Windows’ graphical commands. The genuine Csrss.exe process,
which is necessary, runs from the C:\WINDOWS\SYSTEM32 folder. If you see two versions of the process running simultaneously, then one of them is likely a virus running from another location. You can address the problem by scanning your computer with an antivirus utility.

Ctfmon.exe

The Ctfmon.exe system process is part of Microsoft Office, and it enables the Alternative User Input Services, such as the Text Input Processor. For Office XP users, Ctfmon.exe also manages the Language Bar. Unless you use the Language Bar, speech recognition, handwriting recognition, the on-screen keyboard, translation applications, and other accessibility and alternative user input programs, this system process isn’t necessary and shouldn’t cause problems if you end it.

Dllhost.exe

This is a system process that runs in the background and refers to the Microsoft DCOM (Distributed Component Object Model) DLL (Dynamic Link Library) Host Process, which handles DLL-based programs. Multiple programs can use this process simultaneously,
which can result in more than one instance of Dllhost.exe in your Task Manager’s processes list. Don’t terminate Dllhost.exe if you encounter it.

Explorer.exe

The Explorer.exe system process refers to the Windows Program Manager and Windows Explorer. This process handles items such as the Start menu, Taskbar, Desktop, and File
Manager, and it is vital to the operation of your computer. You can end this process, but doing so will remove the graphical interface.

GoogleDesktopCrawl.exe

GoogleDesktopCrawl.exe is an application process that corresponds to the Google Desktop Search utility. The process is necessary to use the utility but is not a vital part of Windows.

Hpzstatn.exe

This hardware-related background process refers to the HP Deskjet Taskbar Utility, which corresponds to HP’s Deskjet line of printers. Although this process is not a vital part of Windows, you may find it is necessary to properly use your printer.

Iexplore.exe

Various sources report that between 70% and 80% of all Internet users use Microsoft Internet Explorer to browse the Web, and Iexplore.exe is the system process that launches when you run IE. Iexplore.exe also refers to the Avant Internet Browser, which is a plug-in for IE that adds features such as a Flash animation filter, popup blocker, and search engine. This process is nonessential and typically only appears when you’re browsing the Web. Ending the process will close any open browser windows. If you find Iexplore.exe in any location other than C:\PROGRAM FILES\INTERNET EXPLORER, then the file could be a virus. Perform an antivirus scan on your computer to eliminate this possibility.

Internat.exe

This system process is a part of Microsoft Windows and supports Microsoft Input Locales and the Windows multilingual operations. If you encounter this process, terminating it will likely cause problems with regional and language settings. You can find this process in the C:\WINDOWS\SYSTEM32 folder. If you find the file somewhere else, it is an indication that your computer might be infected with a virus.

Lsass.exe

According to Microsoft, the Lsass.exe system process handles local security authority domain authentication and Active Directory management tasks, otherwise known as Windows security and login policies. A few associated components include the Net Logon service,
SSL (Secure Sockets Layer), and the Security Accounts Manager service. This system process is necessary and is located in the C:\WINDOWS\SYSTEM32 folder. A virus going by the same name also exists, but it typically runs from a different location, and you can remove it with an antivirus utility.

Msiexec.exe

This system process refers to the Windows Installer Component, which handles the installation of Windows Installer package files with the MSI (Microsoft Installation) file extension. If you see this process running in your Task Manager, you should not disable it because it is necessary.

Msmsgs.exe

The application process that is named Msmsgs.exe refers to the MSN Messenger online chat and instant messaging application. Most Windows installations include MSN Messenger
by default, but allowing this process to run in the background is only necessary if you actually use the application. You can end the process by selecting Msmsgs.exe in the Windows Task Manager and clicking End Process. To prevent MSN Messenger from loading
every time you start your computer, click Start, Programs (All Programs in WinXP), and then click Windows Messenger. Click Tools, Options, and then click the Preferences tab. Deselect the Run This Program When Windows Starts and Allow This Program To Run In The Background checkboxes. Msmsgs.exe exists in C:\PROGRAM FILES\MESSENGER. This process has also been associated with a virus, so make sure to scan your computer with an antivirus application if you suspect someone or something has hijacked your MSN Messenger file.

Msoobe.exe

As you might guess from the first two letters of this system process, Msoobe.exe is a Microsoft product. This process pertains to the license key and Windows Product Activation functions, and it appears when you go through the online activation process for various Microsoft products. This process runs when it is required for the proper operation of your system, so don’t end it.

Navapsvc.exe

This background process refers to the Norton AntiVirus Auto-Protect Service, which you’ll find in your Task Manager if you are running the antivirus application. This process is necessary to maintain Symantec’s service, but Windows runs fine without it.

Navapw32.exe

Similar to the Navapsvc.exe process, Navapw32.exe is a part of Norton AntiVirus. This background process refers to the Norton Antivirus Agent, which keeps your system protected from security threats. Navapw32.exe is necessary for Symantec’s software to run properly.

Nvsvc32.exe

If you happen to own one of Nvidia’s graphics cards, you may encounter this hardware-related background process. It refers to the Nvidia Driver Helper Service, which is required to make your graphics card work on your system.

Outlook.exe

As its name suggests, this file refers to Microsoft Outlook’s email client software. You can disable this application process without adversely affecting Windows. If you’re running Outlook, however, you’ll need this process.

Quicktimeplayer.exe

This application process should only appear in your Task Manager’s process list if you have Apple’s QuickTime player running. This application lets you play audio and video files, but the process is not essential for the stable operation of Windows.

Services.exe

This system process pertains to the Windows Service Controller, which is a vital part of the Microsoft Windows OS. Services.exe enables and disables various Windows services during the startup and shut down process and whenever needed. You can find this process in the C:\WINDOWS\SYSTEM32 folder. Your computer may be infected with a virus if you find this file in another location.

Smss.exe

The Smss.exe system process runs in the background to maintain the Session Manager Subsystem, which is a required element of Microsoft Windows. This process manages your
user session and launches other important processes such as Winlogon.exe and Csrss.exe. Normally, you can find the Smss.exe file in the C:\WINDOWS\SYSTEM32 folder; if you find it elsewhere, though, it may be a virus.

Spoolsv.exe

The Spoolsv.exe system process is designed to support your computer’s connection to your local printer. This background process refers to the Microsoft Printer Spooler Service, which is an important part of your system. The legitimate version of this file is located in the C:\WINDOWS\SYSTEM32 folder, but it may be a virus if you find the file elsewhere on your system.

Svchost.exe

This Microsoft Service Host process is a critical system process, and it is necessary for the proper operation of your system. At any given point, you may notice several copies of this process in your Task Manager. Each one may handle multiple services and processes that your computer needs to keep handy throughout your computing session. The Svchost.exe file is located in the C:\WINDOWS\SYSTEM32 folder. Any other occurrence of this file may be a virus, so scan your system with an antivirus program if you think this process may be causing your system problems.

System

The System process refers collectively to all of the fundamental OS processes that are necessary for running your computer. The System process is necessary, and you cannot terminate it manually.

System Idle Process

This item appears at the bottom of the list but isn’t actually a system process. Instead, it’s a counter that displays the total percentage of your CPU that is idle and ready for use. It is common for the number in the CPU column in System Idle Process to hover between 90 and 100. This process is necessary, so if you try to end it, you will receive an Invalid Operation error message.

Systray.exe

The Systray.exe system process manages the Microsoft System Tray Services, which in turn handles the date and time display in your System Tray on your Desktop. This process is a normal part of Windows and should not be terminated.

Taskmgr.exe

If you pressed CTRL-ALT-DELETE to bring up the list of system processes in the Windows Task Manager, then you’ll invariably see Taskmgr.exe among them. This system process
refers to the Task Manager itself, and if ended will simply close the Task Manager from view.

Wdfmgr.exe

The Wdfmgr.exe is an application process that relates to the Windows Driver Foundation Manager, which is a vital aspect of Microsoft’s Windows Media Player 10. If you’re running Windows Media Player, you’ll want to maintain this process because it can help with device and software compatibility issues.

Winlogon.exe

The Winlogon.exe system process is called the Microsoft Windows Logon Process and refers to the Windows NT login manager. This process manages the procedures involved in logging on and logging off of your system. Don’t attempt to terminate this process because it is important to the stable operation of your computer. The legitimate version of Winlogon.exe is located in the C:\WINDOWS\SYSTEM32 folder. If the file appears elsewhere, scan your computer with an antivirus application to minimize possible infection.

Wmplayer.exe

Wmplayer.exe is the application process for Microsoft’s WMP (Windows Media Player) software. If you use WMP to play streamed or downloaded audio and video files, then don’t terminate this process unless you think it’s causing your system problems. A known virus of the same name has been found previously, so make sure this file is in the C:\PROGRAM FILES\WINDOWS MEDIA PLAYER folder. Try scanning your computer with an antivirus application to eliminate the possibility of infection.

Zonealarm.exe

Zonealarm.exe is an application process that refers to ZoneAlarm’s antivirus software. Although not necessary for Windows, this process may be necessary for the proper operation of the Zone Labs product installed on your computer.

Process Heads Up

Despite the number of system processes we discussed in this article, this is by no means a complete guide to everything running in the background on your computer. Sometimes the difference between a legitimate process and a harmful virus is a single character. As stated previously, the Iexplore.exe process refers to Microsoft’s IE, but Iexplorer.exe refers to the RapidBlaster virus. For more information about the processes you’ll find in the Windows Task Manager, consult Uniblue System’s Process- Library.com. Here you can search for system processes, as well as view the Top 5 Processes, Top 5 Security Threats, and Top 5 New Processes.

There are several applications on the market that can help you gather more information about some of the more problematic system processes. If you’re looking to dig a little deeper, check out Security Task Manager ($29; www.neuber.com), WinTasks 5 ($29.95; www.liutilities.com/products/wintasksstd), or Process Explorer (freeware; www.sysinternals.com).

_______________________
by Andrew Leibman