CyberPatriot – UT Dallas Windows Processes and Services 14 November 2015

Objectives Services Task Manager Services.msc Processes Task Manager Process Monitor Task Scheduler Event Viewer Regedit

Services A Windows service is a computer program that operates in the background. A Windows service must conform to the interface rules and protocols of the Service Control Manager, the component responsible for managing Windows services. Windows services can be configured to start when the operating system is started and run in the background as long as Windows is running. Alternatively, they can be started manually or by an event. Windows OS’s include numerous services which run in context of three user accounts: System, Network Service, and Local Service. These Windows components are often associated with Host Process for Windows Services. Because Windows services operate in the context of their own dedicated user accounts, they can operate when a user is not logged on. Prior to Windows Vista, services installed as an “interactive service” could interact with Windows desktop and show a GUI. In Windows Vista, however, interactive services are deprecated and may not operate properly, as a result of Windows Service hardening. A windows service is effectively an application with a few extra methods exposed for the service manager to control it, namely Stop(), Start(), Pause(), Continue(). When Start is called, the application domain is creatd, the service class initialized and the Start() method called. On stop, the Stop() method is called before the application domain is unloaded from memory. You can see this with task manager. The application doesn’t exist in memory until the start is called and it disappears after the Stop is completed.

Services Managing Services in Task Manager The Services tab of the Task Manager dialog box, shown in Figure lists all the services that can run on the computer. For each service, you will see the Name (the name of the service), the PID (the associated process identifier), Description (a description of the service, Status (whether a process is Running or Stopped), and Group (the service group). To start a stopped service, click the service and select Start Service. To stop a running service, click the service and select Stop Service.

Services Managing Services in services.msc You can also open the Services tool by clicking the Services button. The Services tool allows you to specify whether a process starts automatically, automatically with a delayed start, manually, or is disabled. The Component Services (initialized from the Start Menu, Run, "services.msc" - without quotes) is a management tool in the operating system that enables the management, configuration, initialization, removal or pause the services that operating systems Platform Windows provide to the user. Many services are already preconfigured in the default installation of MS-Windows and is automatically activated. Others are only available but not started. When there is a need to use the service by the operating system or the user, as a matter of use with some application software, it can start the service (this is set to "Manual") or the system itself can activate it ( if it is set to "Auto"). Some services may be deactivated. The activation of the service in this case it is necessary, depending on which requires rebooting the computer. To access services.msc: Right-click on Computer icon on desktop and select Manage. Now go to Services & Applications -> Services. You can also open the same from Administrative Tools-> Computer Management. Or you can directly open "Services" list by providing services.msc command in RUN or Start Menu search box.

Services

Processes Like most modern operating systems, Windows can run many programs at the same time. Still, unless your computer has several processors, it can only perform one task at a time. To solve this problem Windows switches rapidly between all running programs, creating the illusion of all programs running in parallel. If you have ever experienced a crash, however, you probably know that as soon as the switching stops working, all programs simply stop working. This is because the processor gets locked up in one process and stays there. What is a Process? While the word "program" refers to the executable code (the exe file, for example), a process is a program that is being executed. When you start a program in Windows, the executable will be loaded into RAM. Windows will then add the new process to its internal process list and make sure the process receives some CPU time as well as memory and other resources. A process can then request any amount of resources from Windows as long as there are resources left. Windows keeps track of which processes are using which resources. As soon as a process is closed or terminated, all resources used by that process will be returned to Windows and will then be handed out to other processes. Unlike memory and similar resources, CPU time cannot simply be requested but is instead shared equally between processes. A process can also return the CPU to Windows before the assigned time slice ends. This is actually what happens most of the time and is the reason why your CPU usage is not always at 100 %

Processes Managing Process Tasks in Task Manager The Processes tab of the Task Manager dialog box, shown in Figure 15.21, lists all the processes that are currently running on the computer. This is a convenient way to get a quick look at how your system is performing. For each process, you will see the Image Name (the name of the process), the User Name (the user account that is running the process), CPU (the amount of CPU utilization for the process), Memory (Private Working Set) (the amount of memory that is being used by the process), and Description (a description of the process). You can organize and control processes as follows: To organize the processes, click the column headings. For example, if you click the CPU column, the listing will start with the processes that use the most CPU resources. If you click the CPU column a second time, the listing will be reversed so that the processes that use the least CPU resources are listed first. To manage a process, right-click it and choose an option from the context menu. You can choose to end the process, end the process tree, debug the process, specify virtualization, create a dump file, or set the priority of the process (to Realtime, High, Above Normal, Normal, Below Normal, or Low). If your computer has multiple processors installed, you can also set processor affinity (the process of associating a specific process with a specific processor) for a process. To customize the counters that are listed, select View _ Select Columns. This brings up the Select Columns dialog box where you can select various information you want to see listed on the Processes tab.

Processes

Stopping Processes You might need to stop a process that isn’t executing properly. To stop a specific process, select the process you want to stop in the Task Manager’s Processes tab and click the End Process button. Task Manager displays a Warning dialog box. Click the End Process button to terminate the process. If you right-click a process, you can end the specific process or you can use the option End Process Tree. The End Process Tree option ends all processes that have been created either directly or indirectly by the process. Managing Process Priority To change the priority of a process that is already running, use the Processes tab of Task Manager. Right-click the process you want to manage and select Set Priority from the context menu. You can select from Realtime, High, Above Normal, Normal, Below Normal, and Low. As you might expect, applications launch at Normal priority by default. Perform the following steps to set a process priority and end a process from within Task Manager: 1. Right-click an empty space on your Taskbar and select Task Manager from the context menu. 2. On the Applications tab, click the New Task button.

Processes Process Monitor Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Processes Process Monitor includes powerful monitoring and filtering capabilities, including: More data captured for operation input and output parameters Non-destructive filters allow you to set filters without losing data Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation Reliable capture of process details, including image path, command line, user and session ID Configurable and moveable columns for any event property Filters can be set for any data field, including fields not configured as columns Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data Process tree tool shows relationship of all processes referenced in a trace Native log format preserves all data for loading in a different Process Monitor instance Process tooltip for easy viewing of process image information Detail tooltip allows convenient access to formatted data that doesn't fit in the column

Processes

Task Scheduler Use the Task Scheduler utility in Windows 7 to schedule actions to occur at specified intervals. Windows 7 Task Scheduler can be accessed by typing task scheduler in the Start menu’s search box. Creating a Scheduled Task You can create a basic task by selecting the Create Basic Task item in the Actions pane in the right side of Task Scheduler. By creating a basic task, a Task Manager wizard lets you set any of your Windows programs to run automatically at a specific time and at a set interval, such as daily, weekly, or monthly. For example, you might schedule an application to run daily at 2:00 a.m. If you’ve chosen a time trigger, you configure the time/date when the action will occur. When a trigger is activated, Task Scheduler can perform the following actions: Actions can be performed at the following events (called triggers) available in the Task Manager wizard: Daily, or once every number of days (such as once every three days) Weekly, or on certain days of the week, or every number of weeks (such as every four weeks on Monday) Monthly, or on selected days of the month, or only on selected months One time only When the computer starts

Task Scheduler Task Scheduler Events (continued) When you log on When a specific event is logged Start a program. Send an . Display a message.

Task Scheduler Managing Scheduled Task Properties You can manage a scheduled task through its properties dialog box. To access this dialog box, right-click the task you want to manage and choose Properties from the context menu. The scheduled task’s properties dialog box has six tabs for configuration, as follows: General : General Tab On the General tab, you can configure the following options: The description of the task The username or group to be used to run the specified task Whether the task is run when the user is logged off Whether the task is hidden Triggers : Triggers Tab The Triggers tab shows the schedule configured for the task. You can click Edit to edit the trigger, which brings up the Edit Trigger dialog box. You can also click New to create a new trigger or click Delete to delete an existing trigger.

Task Scheduler Actions : Actions Tab The Actions tab shows the action that is configured for the task. You can click Edit to edit the action, which brings up the Edit Action dialog box. You can also click New to create a new action or click Delete to delete an existing action. Conditions : Conditions Tab The Conditions tab shows the conditions associated with the task. The options in the Idle section are useful if the computer must be idle when the task is run. You can specify how long the computer must be idle before the task begins and whether the task should be stopped if the computer ceases to be idle. The options in the Power section are applicable when the computer on which the task runs is battery powered. You can specify that the task should not start if the computer is running from batteries and choose to stop the task if battery mode begins. You can also select whether to wake the computer in order to run the task. The option in the Network section defines whether the task starts when a particular network connection is available. Settings : Settings Tab The Settings tab shows the settings that affect the task’s behavior with the following settings: Whether the task can be run on demand Whether the task should be restarted if it is missed How often the task should be restarted if it fails

Task Scheduler Settings (continued): When to stop the task if it runs a long time Whether you can force the task to stop When the task should be deleted What actions should occur if the task is already running History: History Tab The History tab shows historical information regarding the task, including the task’s start time, stop time, and whether the task completed successfully. Once set up, the scheduled task should commence at the appropriate time; if not, you might need to troubleshoot it.

Task Scheduler

Event Viewer Using Event Viewer Event Viewer, shown in Figure below, enables you to view event logs that are created by the operating system. This utility is useful when troubleshooting problems that occur on your computer.

Event Viewer Whenever an error occurs, an event is usually placed in one or more event logs. To open Event Viewer, click Start _ Control Panel _ System And Security _ Administrative Tools _ View Event Logs, or you can type event viewer in the Start menu’s search box. Whereas old versions of Event Viewer contained only the Application, Security, and System logs, the Windows 7 version of Event Viewer contains the following logs: Application : The Application log is used to log events relating to applications, such as whether an application, driver, or service fails Security: The Security log is used to log security events, such as successful or failed logon events. Setup: The Setup log is used only by domain controllers, so it doesn’t have much practical use in Windows 7. System: The System log is used to log events concerning the operating system and related services. Forwarded Events: The Forwarded Events log is used to collect events that have been forwarded from other computers. To configure log settings, right-click the log that you want to configure and select Properties. The Log Properties dialog box appears.

Event Viewer

The Log Properties dialog box shows the following information: The full name of the log Where the log is stored The size of the log When the log was created, modified, and accessed Whether logging is enabled for the ldog The maximum log size in KB The action that occurs when the log reaches the max size The left pane of Event Viewer is where you find the Windows logs noted previously, but it also contains other logs and views that can be helpful when troubleshooting a specific application. The Custom Views section can be used to create a view that contains only the information you want to see, such as only events in a particular log or only Critical events. One custom view, Administrative Events, is created for you by default.

Event Viewer The Administrative Events view contains Critical, Error, and Warning events from all logs, enabling you to easily view only the most important events. Another section in the left pane contains logs that relate to Applications and Services. The Microsoft folder within the Application and Services Log contains many other logs related to specific Microsoft components and applications. The Subscription folder enables you to receive event logs from other computers. Having other machines send its event to one machine is useful to us as it gives us one central to view events from multiple locations. To use subscriptions, you must start the Windows Event Collector Service. The center pane of Event Viewer displays the events and information that relates to those events. You can also view a summary of your administrative events, which contains a count of Critical, Error, Warning, Information, Audit Success, and Audit Failure events. A count of these events is displayed for the last hour, day, and week, and the total number of events is also provided. Each event is assigned an event level of Critical, Error, Warning, Information, or Verbose. The right pane of Event Viewer enables you to perform actions related to items you have selected in the left and center panes. You can save logs, open saved logs, create or import views, clear logs, filter logs, and find logs with certain keywords. You can also attach a task to an event.

Regedit Most of the time, you'll use the Services console in the Administrative Tools folder to enable and disable services. In some cases, however, you might need to enable or disable services manually. This could be the case if you've modified the system's configuration and services to the point that the Services console no longer lets you enable services. Or you might need to enable a service remotely. To enable services on the computer through the registry: Start the Registry Editor by pressing the Start- button and Run... this command: Regedit Browse through the left tree to where Services are found: [HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services]

Regedit Within the Services-key find go to the short-name of the wanted service (HereRpcSS aka. Remote Procedure Call (RPC)): [HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \RpcSS]

Regedit Double-Click the Start-value in the list to the right. Change Value data to the wanted state: 0 = Boot 1 = System 2 = Automatic 3 = Manual 4 = Disabled Press Ok and exit the Registry Editor If setting a service to Disabled or Manual, then execute this command to stop the service: Net Stop RpcSS If setting the service to Automatic, then execute this command to start the service: Net Start RpcSS