I can’t count how many times I have been troubleshooting an issue on a Windows machine and stumbled across an unfamiliar process. Not all of these Windows processes were malicious in nature; some were completely benign processes that I simply wasn’t familiar with. Even so, it can be unsettling to see an unexpected Windows process running on a machine. How do you know what’s benign and what’s not?
Sometimes all it takes to find out is to Google the name of the process. This will often allow you to quickly determine what the process is and what it does. Every once in a while, though, this approach may leave you with more questions than answers.
Imagine for a moment that you search for the name of a process that is unexpectedly running on a computer, and find that it is associated with a well-known application. But what if that application isn’t installed on the computer? What if it’s not even something that your organization uses? Now what?
There are two likely possibilities for what is going on. One is that the application was installed at one time but was later removed. Something may have gone wrong during the application removal process and a component was left behind. Another possibility is that the process is actually something malicious that is trying to hide by disguising itself as a mainstream application.
Either possibility is equally plausible. Fortunately, there are some ways that you can figure out what is going on.
One of the first things to do is to look at the CPU, memory and disk usage of the process. If the process is left over from an application that was not fully removed, it will most likely be idle. A malicious process, on the other hand, may appear to be actively using system resources. Examining system resource usage is by no means a foolproof way of determining whether a process is malicious, but it can be a good starting point.
Another thing you can do is right-click on the process within the Task Manager and then choose the Open File Location command from the shortcut menu. This will take you to the folder where the process’ executable resides. You may be able to tell something about the file’s origins by looking at its location.
However, the file’s metadata tends to be far more telling. Right-click on the file and choose the Properties command from the resulting shortcut menu. This will cause Windows to display the file’s properties sheet. Now, take a look at the sheet’s Digital Signatures tab. This tab will tell you whether the file has been digitally signed by a reputable software vendor.
If you are still in doubt as to where a process came from and what it is actually doing, then you can download a copy of Process Monitor. Process Monitor is a free tool that provides in-depth information about every process running on your computer. You can use Process Monitor to see Windows processes’ network activity, registry activity and file system activity. By doing so, you can see exactly what processes are doing as they run.
The Bigger Picture
In some ways, it may seem like a moot point: Does it matter whether suspicious Windows processes are malicious or simply artifacts of failed uninstall operations? Don’t the Windows processes need to be removed in either case?
Yes, but determining the nature of unexpected Windows processes--whether they are malicious or not--will help you better gauge your overall security posture.
If a Windows process is tied to a previously removed application, and the application is something that the organization does not use, then you will need to figure out how the application got there in the first place. In doing so, you will likely need to tighten your endpoint security so as to prevent users from installing unauthorized applications.
If on the other hand, the process proves to be something malicious then you will want to begin looking at why your anti-malware software did not detect it, and whether additional systems might be infected.