Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange processes in Task Manager?


  • Please log in to reply
6 replies to this topic

#1 Stephen W

Stephen W

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, UK
  • Local time:07:29 PM

Posted 24 November 2008 - 03:34 PM

Hi. I have been reading through some of the tutorials on this site and was looking at the Startup Programs Database. I was looking in my Task Manager at processes running and noticed 3 entries that seem a little odd in that they are the only 3 that do not list a User Name or Description for the process. I am not sure whether these are OK processes or not so I would appreciate if someone can take a look and let me know. The processes I am concerned about are csrss.exe, winlogon.exe and rundll32.exe. Note that there is a 2nd process running called rundll32.exe with the Description 'Windows host process (Rundll32)
Please find attached a screenshot of my Task manager showing the processes in question.
Thanks
Steve

Attached Files


Edited by Orange Blossom, 25 November 2008 - 12:44 AM.
Move from HiJack This forum to Windows XP ~ OB


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:29 PM

Posted 25 November 2008 - 12:58 AM

Hello Stephen W,

Judging by your recently resolved HiJack This thread, I take it you have Windows XP installed.

The files in question are legitimate. From the File Database on BC plus supplements from my knowledge:

csrss.exe is from Service Pack 2 for Windows XP

http://www.bleepingcomputer.com/filedb/csrss.exe-737.html

winlogon.exe also from Service pack 2 for Windows XP is what allows users to log in to the OS etc. It must stay running.

http://www.bleepingcomputer.com/filedb/win...n.exe-3031.html

rundll32.exe Again from SP2, this program allows a DLL file to run as an application. There are many such files that run this way. If rundll32.exe doesn't run, these programs won't either.

http://www.bleepingcomputer.com/filedb/run...2.exe-2593.html

You can also read more about this file from here: http://www.howtogeek.com/howto/windows-vis...-is-it-running/

and from the MS site here: http://windowsxp.mvps.org/rundll32.htm

Orange Blossom :huh:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Stephen W

Stephen W
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, UK
  • Local time:07:29 PM

Posted 25 November 2008 - 07:01 AM

Actually these processes are on my other PC which is a Laptop running Windows Vista. Sorry I should have mentioned that before!
Does it make any difference?
Thanks
Steve

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:29 PM

Posted 25 November 2008 - 02:20 PM

Normally it does make a difference - Vista is different from XP. I'll move this over to the Vista forum when I finish replying.

In this case, these are common to both XP and Vista. A nice description of CSRSS.EXE is here: http://www.processlibrary.com/directory/files/csrss/ WINLOGON.EXE is here: http://www.processlibrary.com/directory/files/winlogon/ And rundll32.exe is here: http://www.processlibrary.com/directory/files/rundll32/

As with any other file, these can be good or bad. The first step would be to investigate where they are located on your hard drive. In addition, you'll want to determine what the command line is for the particular rundll32.exe. To do this, download this free application: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx Then right click on the rundll32.exe and select Properties.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 Michael-Anthony

Michael-Anthony

  • Banned
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:29 PM

Posted 25 November 2008 - 04:59 PM

judging by the screenshot, you are running vista.. I have found a nice little helper that can tell you what is running, I think it works better than task manager...

#6 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:29 PM

Posted 25 November 2008 - 06:25 PM

I forgot to move it - am doing it now.....
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#7 RandomUser

RandomUser

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 25 November 2008 - 07:16 PM

Hi Stephen W,

By now you're prolly aware of the many great Tools born from Sysinternals, Now Owned by Microsoft.

One or two more that you may be interested in are

Autoruns
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

and
Rootkit Revealer
http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx

Autoruns will help with determing what startup programs are running on your computer,
and Rootkit Revealer will help determine if you have a root kit installed.

The point of this post is simply to provide additional resources.

I almost forgot one of my favorites,

procmon

http://technet.microsoft.com/en-us/sysinte...s/bb896645.aspx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users