Table of Contents:

• What are Processes?


• Windows Processes


• Killing the Bad Guys

What are Processes?
Process is one of the core terms needed to understand operating systems. The simplest but most precise explanation is that a process is a program in execution, a running instance of a program. In the study of operating systems there are several states for a process, such as running, blocked, or terminated, but this is too much detail for an average user who is just eager to monitor what is going on with his or her computer. (For those, who are interested in more detail, Operating Systems: Design and Implementation and Modern Operating Systems by Andrew Tanenbaum are excellent sources of in-depth information about processes and operating systems as a whole.)

Modern operating systems can handle many processes simultaneously, but it is important to know that at any given point the CPU is only running one process. The other processes are waiting for their turn to come. This is why you see a long list of the processes in the Task Manager. New multi-core processors allow more processes to run simultaneously but still this does not change the fact that while there are one (or many) processes that are running, a dozen others are waiting to be executed by the processor.

Many operating systems allow processes to be divided further – into threads. For example, if Program A is running as a Process A, Process A can have the following threads — A1, A2, and A3, all of which execute subtasks that are related to the execution of Program A. Threads are dependent on the process that started them and when the process terminates, they terminate as well. Process management is one of the basic activities of operating systems. When a process consumes too much CPU power, this slows down the whole system, so in order to free some resources, one or more processes can be terminated.

When processes are forcibly terminated, this often results in loss of data. However, given the choice between a hung system and a killed process, loss of data might be acceptable. There are processes that can not be terminated because their execution is vital for the functioning of the whole system. Also, killing processes arbitrarily is a bad idea (even if the operating system allows you to kill a process of your choice). The right approach to killing processes is to first identify which program started the process, then identify what resources it is using and finally to proceed with termination. Killing the bad guys, i.e. problematic processes, is described in the last section of this article.

Windows Processes
Now that we have had a brief explanation of what processes are, let’s see how they relate to Windows. Windows, as most of the modern operating systems, supports multitasking and multithreading. So, when you press CTRL+ALT+DEL to bring up the Task Manager, you will see something like this:

You see an Image Name column, where all processes for the currently logged in user are listed. If the Show Processes From All Users checkbox were checked, this list would have listed processes from all users. The name of the user who owns the process and data like the CPU and Memory usage of the particular process are listed next. Some of the process names are self-explanatory (firefox.exe) but others are a bit cryptic. Don’t worry that you can’t guess what a particular Image Name stands for–there are good online references, such as http://www.processlibrary.com or http://www.what-process.com/lists.aspx, where you can check what program a particular process represents.

However, it does not hurt to know the names of a couple of the essential Windows processes. There might be differences in the list of essential processes between the various versions of Windows but the major ones are as follows:

• System Idle Process


• explorer.exe


• winlogon.exe


• svchost.exe


• lsass.exe


• services.exe


• spoolsv.exe


• smss.exe


• csrss.exe


• taskmgr.exe

Usually several instances of Svchost.exe are running. This is usually normal because not all of them will be owned by the same user. What is not normal is that the same process — svchost.exe — has been registered both as a legitimate Windows process and as a trojan and backdoor. But more on this later. Svchost is a system process, which handles processes executed from DLLs. This is one of the most important processes in Windows and if you terminate it, your computer will become unstable. I am not going to explain all the processes here, so if you are interested in learning more about them, go to the above links, the lists there are very thorough.

I have used words like important and essential to describe the processes, but not all processes are equal. You can make one process more important than another through prioritization. By default all processes have a Normal priority. If you are running a very special program that requires more processing power, or it is important for the program to be processed as soon as possible, you can change its priority from Normal to Realtime, High, or Above Normal. Alternatively, if you would like a given process to have a lower than normal priority, select Below Normal or Low. Set priorities by right-clicking the process in the Image Name column and from the context menu selecting Set Priority. From the list of priorities, choose the desired one. You can change the priority for most of the processes, but not all. (System Idle Process is one of the few exceptions because it is a vital process that users should not be allowed to modify).

If you want more in-depth data about a particular process, for instance to see the whole process tree, the threads in the process, its network connectivity, or handles and DLLs, Windows Task Manager will not be useful. Instead, you can download a free program – Process Explorer by Mark Russinovich and see all this and a lot more information about the processes on your computer.

Killing the Bad Guys
When you right-click a process in the list of processes, you will see the End Process and End Process Tree commands. Choosing the first one terminates the process and the second – the process itself, along with all of its related processes. You will see a warning that terminating a process that way might cause system instability, but if you are killing a program that is not responding anyway, you might actually gain some system stability (or at least processor time). Killing a process through the Windows Task Manager is worth it only if the program has hung and you need to free resources.
Browsing through the processes in Windows Task Manager might also give you a clue if you have viruses, spyware, adware and other types of malware on your computer. If you notice a strange process in the list of processes, check to see which program it belongs to and if it is malware, take the appropriate measures (i.e. launch your antivirus or spyware programs).

Keep in mind that the fact that you don’t see any suspicious processes in the list of processes does not mean that your computer is clean. Most of the advanced malicious programs are written in a way that allows them to remain hidden and they will hardly show themselves in the processes list. Often, malicious code is hidden behind perfectly legitimate processes or uses the same name (the example with svchost.exe) as a Windows service or a popular program. It is therefore unlikely that you will notice it in the processes list of Windows Task Manager. But even if the malicious program shows in the list, stopping the process will not remove it from your computer. You need to take additional measures to clean it completely. Still, occasionally having a look at what processes are running at your computer is a good habit to have.

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below: