The Function of Native Win2K Processes

When you start Windows Task Manager and click the Processes tab, you see approximately 30 processes that Windows 2000 runs at startup, plus Microsoft and third-party processes that implement antivirus protection and other running applications. Some Task Manager processes (e.g., alertsvc.exe, Iexplore.exe, dns.exe, wins.exe) correlate one-for-one with a specific Win2K service; other processes, such as the System Idle Process, services.exe, and svchost.exe, are core OS components, or they coordinate multiple services. Processes that correlate directly with a native service appear in the Task Manager process list only when you've configured the service and the service is running. So, unless you've installed Win2K Server Tools on a Win2K Professional machine, you won't see dns.exe or wins.exe on the Win2K Pro system. These same native processes will appear on Win2K Server only if you have configured and started the service.

Today, I explain the origin of names such as CSRSS, LSASS, and svchost and describe some of the common native processes. I also indicate which processes you can stop in Task Manager. If you can’t stop a process in Task Manager, you might be able to stop it with the Microsoft Management Console (MMC) Services applet or with the Windows 2000 Resource Kit utility kill.exe. Tread lightly; when you kill a core process such as System or Session Manager Subsystem (SMSS), your system will likely crash.

Alertsvc.exe is the alerter service that dispatches performance and other administrative alerts to the proper individual. You can't stop this process from Task Manager.

Cmd.exe is the command-line component that opens a console window and manages the command-line interface environment. You can stop this process in Task Manager.

Csrss.exe is the Client-Server Runtime Subsystem. This core process is the user-mode component of the Win32 subsystem (the kernel component is win32.sys). CSRSS manages console windows, creates and deletes threads, and manages a portion of the 16-bit virtual DOS environment. You can't end this process from Task Manager.

Dfssvc.exe is the DFS component. This process manages logical volumes distributed across a network. Use the MMC Services snap-in to manage this process.

Explorer.exe creates and manages the desktop. When you use Task Manager to stop this process, the monitor goes blank, so you’ll need to log off and log back on to restore the desktop.

Internat.exe is the international component that appears only when you define multiple input locales for a system. Internat places the EN icon in the system tray so you can click the icon to change input locales. You can stop this process in Task Manager.

Llssrv.exe is the license-logging service that monitors and reports license usage to the master license server. Manage this process with the MMC Services snap-in.

Lsass.exe is the Local Security Authority Server service, the component that performs local authentication through Winlogon. After authenticating a user account, LSASS creates the account’s access token that defines the account’s group memberships, the operations the account can perform, and the resources the account can access. You can't end this process from Task Manager.

Mstask.exe is the process that creates and manages jobs you run with the Scheduled Task Wizard in Control Panel or the AT command. The related service, taskmgr.exe, executes each job in the scheduled task queue. You can't stop mstask.exe in Task Manager, but you can kill the taskmgr process.

Regsvc.exe is the remote registry service that supports remote reading and updating of the local registry. You can't stop regsvc.exe in Task Manager, you must manage the service with the Services applet.

Smss.exe is the session manager subsystem. SMSS starts when Win2K boots and you see the Please Wait screen. This core startup component has many responsibilities, including

  • creates local procedure call (LPC) port objects and threads for client requests (e.g., loading a new subsystem)
  • defines symbolic links for MS-DOS-based devices (e.g., COM1 and LPT1).
  • initializes Windows 2000 Server Terminal Services, if installed
  • runs programs in the registry key HKEY_LOCAL_MACHINE\System\CCS\Control\SessionManager\Bootexecute
  • performs any delayed file-rename operations or pending file deletions
  • opens known DLLs
  • creates additional paging files
  • initializes the registry
  • creates system environment variables
  • loads the kernel-mode portion of the Win32K subsystem (CSRSS is the user-mode portion).
  • starts subsystem processes and Winlogon.exe

After the system is running, smss.exe hibernates until either the Winlogon process or CSRSS process terminates, at which point smss.exe shuts down the system. For obvious reasons, you can't end this process.

Spoolsv.exe is the spooler service that manages queued fax and print jobs. You must stop and restart this process from the Services snap-in.

Svchost.exe is a shell process that hosts and coordinates activity for processes that run from DLLs, including Internet Authentication Service, Internet Connection Sharing, Network Connections, Routing and Remote Access, Removable Storage, System Event Notification, remote procedure call (RPC), and Telephony. Each Win2K system typically has multiple active svchost.exe processes, one of which manages RPC communication, one that manages network services, and so on. You cannot end any of these processes in Task Manager.

Services.exe is the services control manager. This process starts, stops, and interacts with system services that don't run under the Svchost shell, including the browser, DHCP, Dnscache, Protected Storage, Messenger, PlugPlay, and W32Time services. You can't end this process in Task Manager.

System is a core kernel-mode component that creates and manages kernel-mode threads. You must never kill this process.

System Idle Process is a single thread that runs on each CPU whenever the CPU has no work to perform. Performance Monitor uses idle process time to calculate the amount of available CPU. Never stop this process.

Winlogon.exe is the windows logon component that manages logon and logoff activity. When a user logs on to the local system, Winlogon performs all the authentication tasks. When a user logs on to a domain, Winlogon passes the user logon credentials to the Netlogon service for routing to a domain controller (DC) that can perform the authentication. Winlogon only appears in the process list when someone is logging on or off the system. You can't end this process from Task Manager.

Winmgmt.exe is the windows management instrumentation (WMI) client component that interfaces with WMI-based applications that inventory installed hardware, inventory or deliver software, and collect performance data. You can't stop this process in Task Manager, but you can use the Services applet to stop and restart the two related WMI services.

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.