Transcript PPT-08-a

CyberPatriot – UT Dallas
Windows Processes
and Services
14 November 2015
Objectives
• Services
•
Task Manager
•
Services.msc
• Processes
•
Task Manager
•
Process Monitor
• Task Scheduler
• Event Viewer
• Regedit
Services
A Windows service is a computer program that operates in the background. A Windows service must
conform to the interface rules and protocols of the Service Control Manager, the component
responsible for managing Windows services.
Windows services can be configured to start when the operating system is started and run in the
background as long as Windows is running. Alternatively, they can be started manually or by an
event. Windows OS’s include numerous services which run in context of three user accounts:
System, Network Service, and Local Service. These Windows components are often associated
with Host Process for Windows Services. Because Windows services operate in the context of
their own dedicated user accounts, they can operate when a user is not logged on. Prior to
Windows Vista, services installed as an “interactive service” could interact with Windows desktop
and show a GUI. In Windows Vista, however, interactive services are deprecated and may not
operate properly, as a result of Windows Service hardening. A windows service is effectively an
application with a few extra methods exposed for the service manager to control it, namely
Stop(), Start(), Pause(), Continue().
When Start is called, the application domain is creatd, the service class initialized and the Start()
method called. On stop, the Stop() method is called before the application domain is unloaded
from memory.
You can see this with task manager. The application doesn’t exist in memory until the start is called
and it disappears after the Stop is completed.
Services
Managing Services in Task Manager
The Services tab of the Task Manager dialog box, shown in Figure lists all the services that can run
on the computer. For each service, you will see the Name (the name of the service), the PID (the
associated process identifier), Description (a description of the service, Status (whether a
process is Running or Stopped), and Group (the service group). To start a stopped service, click
the service and select Start Service. To stop a running service, click the service and select Stop
Service.
Services
Managing Services in services.msc
You can also open the Services tool by clicking the Services button. The Services tool allows you to
specify whether a process starts automatically, automatically with a delayed start, manually, or is
disabled.
The Component Services (initialized from the Start Menu, Run, "services.msc" - without quotes) is
a management tool in the operating system that enables the management, configuration,
initialization, removal or pause the services that operating systems Platform Windows provide to the
user.
Many services are already preconfigured in the default installation of MS-Windows and is automatically
activated. Others are only available but not started. When there is a need to use the service by
the operating system or the user, as a matter of use with some application software, it can start the
service (this is set to "Manual") or the system itself can activate it ( if it is set to "Auto"). Some
services may be deactivated. The activation of the service in this case it is necessary, depending on
which requires rebooting the computer. To access services.msc:
Right-click on Computer icon on desktop and select Manage. Now go to Services & Applications ->
Services. You can also open the same from Administrative Tools-> Computer Management.
Or you can directly open "Services" list by providing services.msc command in RUN or Start Menu
search box.
Services
Processes
Like most modern operating systems, Windows can run many programs at the same time. Still,
unless your computer has several processors, it can only perform one task at a time. To
solve this problem Windows switches rapidly between all running programs, creating the
illusion of all programs running in parallel. If you have ever experienced a crash, however,
you probably know that as soon as the switching stops working, all programs simply stop
working. This is because the processor gets locked up in one process and stays there.
What is a Process?
While the word "program" refers to the executable code (the exe file, for example), a
process is a program that is being executed. When you start a program in Windows, the
executable will be loaded into RAM. Windows will then add the new process to its internal
process list and make sure the process receives some CPU time as well as memory and
other resources. A process can then request any amount of resources from Windows as
long as there are resources left. Windows keeps track of which processes are using which
resources. As soon as a process is closed or terminated, all resources used by that
process will be returned to Windows and will then be handed out to other processes.
Unlike memory and similar resources, CPU time cannot simply be requested but is instead
shared equally between processes. A process can also return the CPU to Windows before
the assigned time slice ends. This is actually what happens most of the time and is the
reason why your CPU usage is not always at 100 %
Processes
Managing Process Tasks in Task Manager
The Processes tab of the Task Manager dialog box, shown in Figure 15.21, lists all the processes that are
currently running on the computer. This is a convenient way to get a quick look at how your system is
performing. For each process, you will see the Image Name (the name of the process), the User Name
(the user account that is running the process), CPU (the amount of CPU utilization for the process),
Memory (Private Working Set) (the amount of memory that is being used by the process), and
Description (a description of the process). You can organize and control processes as follows:
•
To organize the processes, click the column headings. For example, if you click the CPU column, the
listing will start with the processes that use the most CPU resources. If you click the CPU column a
second time, the listing will be reversed so that the processes that use the least CPU resources are
listed first.
•
To manage a process, right-click it and choose an option from the context menu. You can choose to
end the process, end the process tree, debug the process, specify virtualization, create a dump file, or
set the priority of the process (to Realtime, High, Above Normal, Normal, Below Normal, or Low). If your
computer has multiple processors installed, you can also set processor affinity (the process of
associating a specific process with a specific processor) for a process.
•
To customize the counters that are listed, select View _ Select Columns. This brings up the Select
Columns dialog box where you can select various information you want to see listed on the Processes
tab.
Processes
Processes
Stopping Processes You might need to stop a process that isn’t executing properly. To
stop a specific process, select the process you want to stop in the Task Manager’s
Processes tab and click the End Process button. Task Manager displays a Warning
dialog box. Click the End Process button to terminate the process. If you right-click a
process, you can end the specific process or you can use the option End Process
Tree. The End Process Tree option ends all processes that have been created either
directly or indirectly by the process. Managing Process Priority To change the priority
of a process that is already running, use the Processes tab of Task Manager.
Right-click the process you want to manage and select Set Priority from the context
menu. You can select from Realtime, High, Above Normal, Normal, Below Normal,
and Low. As you might expect, applications launch at Normal priority by default.
Perform the following steps to set a process priority and end a process from within Task
Manager:
1. Right-click an empty space on your Taskbar and select Task Manager from the context
menu.
2. On the Applications tab, click the New Task button.
Processes
Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system,
Registry and process/thread activity. It combines the features of two legacy Sysinternals
utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and
non destructive filtering, comprehensive event properties such session IDs and user names,
reliable process information, full thread stacks with integrated symbol support for each operation,
simultaneous logging to a file, and much more. Its uniquely powerful features will make Process
Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Processes
Process Monitor includes powerful monitoring and filtering capabilities, including:
•
More data captured for operation input and output parameters
•
Non-destructive filters allow you to set filters without losing data
•
Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an
operation
•
Reliable capture of process details, including image path, command line, user and session ID
•
Configurable and moveable columns for any event property
•
Filters can be set for any data field, including fields not configured as columns
•
Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
•
Process tree tool shows relationship of all processes referenced in a trace
•
Native log format preserves all data for loading in a different Process Monitor instance
•
Process tooltip for easy viewing of process image information
•
Detail tooltip allows convenient access to formatted data that doesn't fit in the column
Processes
Task Scheduler
Use the Task Scheduler utility in Windows 7 to schedule actions to occur at specified intervals.
Windows 7 Task Scheduler can be accessed by typing task scheduler in the Start menu’s search box.
Creating a Scheduled Task
You can create a basic task by selecting the Create Basic Task item in the Actions pane in the right side of Task
Scheduler. By creating a basic task, a Task Manager wizard lets you set any of your Windows programs to run
automatically at a specific time and at a set interval, such as daily, weekly, or monthly. For example, you might
schedule an application to run daily at 2:00 a.m. If you’ve chosen a time trigger, you configure the time/date
when the action will occur. When a trigger is activated, Task Scheduler can perform the following actions:
Actions can be performed at the following events (called triggers) available in the Task Manager wizard:
•
Daily, or once every number of days (such as once every three days)
•
Weekly, or on certain days of the week, or every number of weeks (such as every four
•
weeks on Monday)
•
Monthly, or on selected days of the month, or only on selected months
•
One time only
•
When the computer starts
Task Scheduler
Task Scheduler Events (continued)
•
When you log on
•
When a specific event is logged
•
Start a program.
•
Send an email.
•
Display a message.
Task Scheduler
Managing Scheduled Task Properties
You can manage a scheduled task through its properties dialog box. To access this dialog
box, right-click the task you want to manage and choose Properties from the context
menu. The scheduled task’s properties dialog box has six tabs for configuration, as
follows:
General : General Tab On the General tab, you can configure the following options:
•
The description of the task
•
The username or group to be used to run the specified task
•
Whether the task is run when the user is logged off
•
Whether the task is hidden
Triggers : Triggers Tab The Triggers tab shows the schedule configured for the task. You
can click Edit to edit the trigger, which brings up the Edit Trigger dialog box. You can
also click New to create a new trigger or click Delete to delete an existing trigger.
Task Scheduler
Actions : Actions Tab The Actions tab shows the action that is configured for the task. You can click
Edit to edit the action, which brings up the Edit Action dialog box. You can also click New to
create a new action or click Delete to delete an existing action.
Conditions : Conditions Tab The Conditions tab shows the conditions associated with the task. The
options in the Idle section are useful if the computer must be idle when the task is run. You can
specify how long the computer must be idle before the task begins and whether the task should
be stopped if the computer ceases to be idle. The options in the Power section are applicable
when the computer on which the task runs is battery powered. You can specify that the task
should not start if the computer is running from batteries and choose to stop the task if battery
mode begins. You can also select whether to wake the computer in order to run the task. The
option in the Network section defines whether the task starts when a particular network
connection is available.
Settings : Settings Tab The Settings tab shows the settings that affect the task’s behavior with the
following settings:
•
Whether the task can be run on demand
•
Whether the task should be restarted if it is missed
•
How often the task should be restarted if it fails
Task Scheduler
Settings (continued):
•
When to stop the task if it runs a long time
•
Whether you can force the task to stop
•
When the task should be deleted
•
What actions should occur if the task is already running
History: History Tab The History tab shows historical information regarding the task, including the
task’s start time, stop time, and whether the task completed successfully. Once set up, the
scheduled task should commence at the appropriate time; if not, you might need to troubleshoot
it.
Task Scheduler
Event Viewer
Using Event Viewer
Event Viewer, shown in Figure below, enables you to view event logs that are created by the
operating system. This utility is useful when troubleshooting problems that occur on your
computer.
Event Viewer
Whenever an error occurs, an event is usually placed in one or more event logs. To open Event Viewer,
click Start _ Control Panel _ System And Security _ Administrative Tools _ View Event Logs, or you
can type event viewer in the Start menu’s search box. Whereas old versions of Event Viewer
contained only the Application, Security, and System logs, the Windows 7 version of Event Viewer
contains the following logs:
•
Application : The Application log is used to log events relating to applications, such as whether an
application, driver, or service fails
•
Security: The Security log is used to log security events, such as successful or failed logon events.
•
Setup: The Setup log is used only by domain controllers, so it doesn’t have much practical use in
Windows 7.
•
System: The System log is used to log events concerning the operating system and related
services.
•
Forwarded Events: The Forwarded Events log is used to collect events that have been forwarded
from other computers.
To configure log settings, right-click the log that you want to configure and select Properties.
The Log Properties dialog box appears.
Event Viewer
Event Viewer
The Log Properties dialog box shows the following information:
•
The full name of the log
•
Where the log is stored
•
The size of the log
•
When the log was created, modified, and accessed
•
Whether logging is enabled for the ldog
•
The maximum log size in KB
•
The action that occurs when the log reaches the max size
The left pane of Event Viewer is where you find the Windows logs noted previously, but it also
contains other logs and views that can be helpful when troubleshooting a specific application.
The Custom Views section can be used to create a view that contains only the information you
want to see, such as only events in a particular log or only Critical events. One custom view,
Administrative Events, is created for you by default.
Event Viewer
The Administrative Events view contains Critical, Error, and Warning events from all logs, enabling
you to easily view only the most important events. Another section in the left pane contains logs
that relate to Applications and Services.
The Microsoft folder within the Application and Services Log contains many other logs related to
specific Microsoft components and applications.
The Subscription folder enables you to receive event logs from other computers. Having other
machines send its event to one machine is useful to us as it gives us one central to view events
from multiple locations. To use subscriptions, you must start the Windows Event Collector
Service.
The center pane of Event Viewer displays the events and information that relates to those events.
You can also view a summary of your administrative events, which contains a count of Critical,
Error, Warning, Information, Audit Success, and Audit Failure events. A count of these events is
displayed for the last hour, day, and week, and the total number of events is also provided. Each
event is assigned an event level of Critical, Error, Warning, Information, or Verbose.
The right pane of Event Viewer enables you to perform actions related to items you have selected in
the left and center panes. You can save logs, open saved logs, create or import views, clear logs,
filter logs, and find logs with certain keywords. You can also attach a task to an event.
Regedit
Most of the time, you'll use the Services console
in the Administrative Tools folder to enable
and disable services. In some cases, however,
you might need to enable or disable services
manually. This could be the case if you've
modified the system's configuration and
services to the point that the Services console
no longer lets you enable services. Or you
might need to enable a service remotely.
To enable services on the computer through the
registry:
•
Start the Registry Editor by pressing the Startbutton and Run... this command: Regedit
•
Browse through the left tree to
where Services are found:
[HKEY_LOCAL_MACHINE \System
\CurrentControlSet \Services]
Regedit
•
Within the Services-key find go to the short-name of the wanted service
(HereRpcSS aka. Remote Procedure Call (RPC)): [HKEY_LOCAL_MACHINE \System
\CurrentControlSet \Services \RpcSS]
Regedit
•
Double-Click the Start-value in the list to the
right.
•
Change Value data to the wanted state:
•
0 = Boot
•
1 = System
•
2 = Automatic
•
3 = Manual
•
4 = Disabled
•
Press Ok and exit the Registry Editor
•
If setting a service to Disabled or Manual, then
execute this command to stop the service: Net
Stop RpcSS
•
If setting the service to Automatic, then
execute this command to start the service: Net
Start RpcSS