When something is wrong in the system or we just want to check the effectiveness of the antivirus installed on the computer, we usually press the three treasured keys Ctrl, Alt, Del and launch the Task Manager, hoping to find a virus in the list of processes. But in it we see only a large number of programs running on a computer, each of which is represented by its own process. And where is the virus hiding here? Our article today will help you answer this question.

In order to determine whether there is a virus in a process or not, you need to look very carefully at the list of processes. In the operating room Windows system Vista, be sure to click the “Display processes of all users” button, otherwise you won’t really see anything. First of all, pay attention to the description of the process in the “Description” column. If there is no description or it is somehow “clumsy”, this should alert you. After all, program developers have a habit of signing their creations in understandable Russian or English.
Having noted the processes with a suspicious description, we turn our attention to the next column - “User”. Viruses are usually launched on behalf of the user, less often in the form of services and on behalf of the system - SYSTEM, LOCAL SERVICE or NETWORK SERVICE.

So, having found a process with a suspicious description, launched on behalf of a user or on whose behalf it is unclear, right-click on it and in the appeared context menu select "Properties". A window will open with the properties of the program that launched this process. Pay special attention to the “Details” tab, where information about the developer, file version and its description is indicated, as well as to the “Location” item of the “General” tab - the path to the running program is indicated here.

If the “Destination” path leads to the Temp directory, Temporary Internet Files, or some other suspicious place (for example, to the folder of a certain program in the Program Files directory, but you are sure that you did not install such a program), then POSSIBLY this process belongs to the virus. But all these are just our guesses, detailed information Of course, it’s better to turn to the Internet. There are good lists of processes on the sites what-process.com http://www.tasklist.org and http://www.processlist.com. If, after all the searches, your fears about the suspicious process are confirmed, you can rejoice - a virus, Trojan or other malware has settled on your computer, which needs to be eliminated urgently.

But the window with the properties of the file that started the process from the Task Manager may not open. Therefore, in addition to standard means Windows needs to use various useful utilities that can provide as much information as possible about the suspicious process. We have already reviewed one of these programs - Starter (http://www.yachaynik.ru/content/view/88/).

In Starter, the “Processes” tab provides comprehensive information about the selected process: a description of the program and the name of the file that launched the process, information about the developer, a list of modules (software components) involved in the process.

Thus, there is no need to delve into the properties of the file that launched the process - everything is in full view. However, this does not prevent you from right-clicking on the suspicious process and selecting “Properties” to get detailed information about the process file in a separate window.

To get to the program folder that belongs to the process, right-click on the process name and select “Explorer to process folder.”

But the most convenient option in Starter is the ability to start searching for information about the process directly from the program window. To do this, right-click on the process and select “Search Internet.”

After you receive complete information about the file that launched the process, its developer, purpose and opinion about the process on the Internet, you will be able to accurately determine whether it is a virus or a peaceful program-worker. The same principle applies here as in the Task Manager. Suspicious are those processes and process modules for which the developer is not specified, in the description of which there is nothing or something vague is written, the process or the modules involved by it are launched from a suspicious folder. For example, Temp, Temporary Internet Files, or from a folder in Program Files, but you definitely remember that you did not install the program listed there. And finally, if the Internet clearly states that this process belongs to a virus, rejoice - the malware did not manage to hide from you!

One of the most common misconceptions among novice dummies concerns the svchost.exe process. It is written exactly this way and in no other way: svshost.exe, scvhost.exe, cvshost.exe and other variations on this theme are viruses masquerading as a good process, which, by the way, belongs to Windows services. More precisely, one svchost.exe process can run several system services at once. Since the services operating system there are many and she needs them all, there are also a lot of svchost.exe processes.

In Windows XP, there should be no more than six svchost.exe processes. Five svchost.exe processes are normal, but seven are a 100% guarantee that malware has taken up residence on your computer. In Windows Vista there are more than six svchost.exe processes. For example, I have fourteen of them. But there are much more system services in Windows Vista than in previous version this OS.

Another useful utility, Process Explorer, will help you find out which services are started by the svchost.exe process. Download latest version Process Explorer you can from the official Microsoft website: technet.microsoft.com

Process Explorer will give you a description of the process, the program that launched it, the name of the developer, and a lot of useful technical information that is understandable only to programmers.

Hover your mouse over the name of the process you are interested in and you will see the path to the file that launched this process.

And for svchost.exe, Process Explorer will show a complete list of services related to the selected process. One svchost.exe process can run several services or just one.

To see the properties of the file that launched the process, right-click on the process you are interested in and select “Properties”.

To search for information about a process on the Internet using a search engine Google systems, simply right-click on the process name and select Google.

As before, suspicion should be raised by processes without a description, without the name of the developer, launched from temporary folders (Temp, Temporary Internet Files) or from the folder of a program that you did not install, and also identified on the Internet as viruses.

And remember, for the Process Explorer and Starter programs to work properly in Windows Vista, they need to be run with administrative rights: right-click on the program executable file and select “Run as administrator”.

However, I would like to disappoint you, only very stupid viruses reveal themselves in the list of processes. Modern virus writers have long learned to hide their creations not only from the eyes of users, but also from antivirus programs. Therefore, in case of infection, only a well-written malware can save you good antivirus with fresh databases (and even that is not a fact!), availability backup copy with all your information and a disk with Windows distribution to reinstall the system. Nevertheless, it is still worth periodically looking into the list of processes - you never know what scvhost or mouse.exe is lurking there.

Report a bug

• 
  Broken download link File does not match description Other

is a powerful free utility that is designed to control in real time all the various processes loaded in the operating system. It was originally created by Sysinternals, but was later acquired by Microsoft Corporation. The program shows the most detailed technical information about all running processes, including the use of all system memory, loaded libraries and much other technical information.

The active area of ​​the program consists of two separate windows. The first of them displays a list of all processes currently loaded on the system, including the names of users and accounts from which these processes are running. Depending on the specific mode selected, the lower window may display various additional information. So, in the first case (in processing mode), you can see all open handles that relate to the process that was selected in the topmost window. In DLL mode, this window displays all dynamic libraries occupied by the process, as well as memory-mapped files.

In addition, Process Explorer has powerful smart search capabilities that make it easy to reliably find out which process has which handle open or which DLL is loaded.

The application is very useful for solving various version related problems DLL libraries, as well as detecting memory leaks.

It is noteworthy that the information displayed by the application is much more detailed than that provided by the standard Windows Task Manager. Among the most notable properties of this utility is the ability to clarify which process belongs to a particular window on the desktop.

Process Explorer— works on Microsoft Windows XP and higher operating systems, including 64-bit versions. The latest edition of the program supports the 64-bit mode of Vista, Windows 7 - Windows 10 systems. For these versions of operating systems, a self-extracting archive of the program is released, with the procexp64.exe process then launched.

Program features:

• Tree display of processes.
• The ability to recognize system processes (whether a particular process is system or third-party).
• Displays an icon as well as the manufacturer's name for each process.
• Graphic visual indicators, as well as a variable CPU load range.
• Function of freezing any process.
• Convenient ability to control (pause, start and stop) individual threads (threads) of the process.
• The function of displaying a window that belongs to one or another process on top of all others.
• Ability to close the entire process tree at once.
• The function in real standard time changes the priority and also the kernel that will execute this or that process.
• The ability to analyze the certificate of a file of a particular system. process.
• A function to replace the standard Task Manager using the same hotkeys.
• For all objects that have ACLs, there is a “Security” tab (starting from version 12-04).

So, here is a powerful tool that allows you to monitor the status and all processes that are running on your operating system. Small size, clear interface, great functionality - all these aspects make the Process Explorer application stand out from other analogues of the standard Task Manager.

You can view a list of all programs running on your computer using Dispatcher Windows tasks . To do this, press the key combination on your keyboard. You will see a list of processes, and the question will immediately arise: why is each specific process in this list needed? Let's figure out what it is processes and how they can be managed.

Processes- that's all that happens in at the moment time in the system. IN Task Manager The “Processes” tab displays all currently running programs. Processes can be “spawned” either by the user or the system. System processes start when booting Windows; user processes are programs launched by the computer user himself or launched on his behalf. All system processes run as LOCAL SERVICE, NETWORK SERVICE or SYSTEM (this information available in Task Manager in the “Username” column).

The task manager only allows you to view the list of processes and terminate their work. To do this, select the process name in the list and click the “End Process” button. This means the program that owns the process is terminated. However, it is not possible to view information about a particular process in the Task Manager.

To manage Windows processes, I would recommend using a more powerful utility called . This is great free program, which also does not require installation. Download it, then run the file from the folder and select the “Processes” tab at the top.
shows all processes in real time, providing comprehensive information on each of them. By right-clicking on the process of interest to us and selecting “File Properties”, we can find out the software module manufacturer, version, attributes and other information. The process context menu also allows you to go to the program folder, end the process, or find information about it on the Internet.

How to get rid of viruses on your computer using Starter?

Very often, viruses and other malicious programs are disguised as various processes. Therefore, if you notice that something is wrong with your computer, run an antivirus scan. If this does not help or your antivirus refuses to start at all, open Task Manager and view all running processes.

Pay special attention to a process if it is running as a user and is consuming too many resources (the “CPU” and “Memory” columns). If you find an obviously suspicious process in the list, end it and see how your system works after that. If you are in doubt or don’t know which program the running process belongs to, it’s better to go to Google or Yandex, enter the name of the process in the search bar and find information about it.

The built-in Task Manager in Windows, of course, allows you to disable processes, but, unfortunately, it provides very little information about them, and therefore it is quite difficult to understand whether a process is viral. The Starter program is much more useful in this regard.

So, to find and remove a virus process from your computer, do the following::

1. Launch the program and go to the “Processes” tab.
2. We find a process that makes us suspicious. Right-click on it and select “File Properties”. For example, I chose the file svchost.exe. In the window that opens look at the manufacturing company of this application:
The fact is that practically any process is signed by its developer. But virus applications are usually not signed.
In my case the file svchost.exe signed by the company Microsoft Corporation and therefore we can trust him.
3. If the selected process turns out to be not signed by anyone or signed by some strange company, then again right-click on the name of this process and select “Search on the Internet” - “Google” (the Internet on the computer must be connected).
4. If the sites suggested by Google confirm that this process is a virus, then you need to go to the folder of this process (to do this, in Starter, in the context menu, select the item “Explorer to process folder”). Then, after completing the process, delete the file here this process.
If you still doubt whether it is a virus or not (perhaps you were unable to look up information about it on Google due to the lack of Internet), then you can simply change the extension from this file(for example, from .exe to .txt) and move it to another folder.

That's all. Today we learned what Windows processes are and what utilities can be used to manage them. In addition, we now know how to get rid of viruses masquerading as various processes.

Processes are divided into:

System(programs and utilities that are components of the operating system and any emergency termination of one of them can lead to, like, a crash in Windows).

Anonymous(they are extremely rare, they are program files that are launched as auxiliary due to user manipulation, without requesting permission to launch).

Network/Local(processes in Task Manager related to Local Network, Internet and Registry are important Windows programs and components).

Custom(programs that are launched by the user).

Is it possible to define a "left" process?

It is not always possible to determine the “left” process. If the person who created it and thoroughly disguised it, it is unlikely that even an experienced computer engineer will be able to calculate it, without receiving a hint of this fact and a detailed study of the behavior of each process.

However, a person who is sure that there is an extra program hanging on the computer, and even a poorly disguised one, will be able to figure it out in a matter of minutes.

How to hide a process in task manager?

The easiest option for hiding a process is to rename the main executable file. But it is worth considering how the program works and whether it creates additional processes that issue it.

Learn how to hide the Windows Task Manager process

Of course, the anonymity of the execution of some programs will make it possible to track those who excessively clutter up a personal computer. Such surveillance is especially important when several users have access to the PC.

Also, the desire to hide the process arises among those who install their own program and strive to prevent advanced users from being able to detect its presence in simple ways.

Any execution of a program is a process that needs a certain part RAM. Processes are divided into:

• systemic;
• anonymous;
• custom;
• Internet related.

It is not recommended for those who do not have practical experience and the necessary technical knowledge to interfere with system processes, since such unreasonable implementation can provoke extremely undesirable consequences. One of these consequences may be the failure of the subsequent startup of the operating system.

You can learn to hide any user programs, and you don’t need to make a huge effort, just carefully read our recommendations. We draw your attention to the fact that even an advanced engineer who is unaware of your “creative deeds” will not simply notice the “left” process.

Algorithm of actions

If you need to hide a software application, you first need to figure out whether it is simple, whether it launches additional processes that can simply give it away, no matter how you try to hide the program.

If, indeed, your program is simple, if it appears in the Task Manager as a single line, we suggest the simplest way to hide the process. To do this, you just need to rename it.

So, we will help you figure out how to rename the process in the Task Manager so that the program continues to function perfectly in anonymous mode.

Step 1

Initially, you should go to the folder where the execution file of a specific program is located. If you know where it is located, then use your usual “route” by opening the “Computer” window, going to the system drive C, and then going to its root folder.

If you don’t know where the execution file is hidden, it doesn’t matter, you just need to find this process in the list displayed in the Task Manager, right-click on it, and then select the line “Open file storage location” in the window that opens.

Step 2

After these actions, the folder you are looking for will open, and all you have to do is find the execution file in it. It will not be difficult to search, since this file has exactly the same name as in the list of processes in the Task Manager. In addition, this file has the extension “exe”.

Step 3

To rename a file, right-click on it again, and then select the “Rename” line. Now that you have managed to assign a new name to your software application, open “Task Manager”, See that this renaming is displayed there too.

Of course, the name you come up with will determine how “veiled” your program will become for other PC users. An unfamiliar process with a new name will arouse suspicion even faster and force a technical engineer to figure out what kind of program is running on the PC.

For this reason, many experienced users recommend coming up with names that do not arouse any suspicion at first glance.

In particular, open Chrome browser Creates multiple processes simultaneously, just like Windows. It is advisable to take the same process name, but since the system will not allow two processes of the same name to function simultaneously, it is recommended to use a little trick when renaming. Instead of some English letters in the name, it seems as if by accident that Russian letters were written. Outwardly, it is impossible to distinguish Russian letters from English ones, but the system will distinguish, and therefore will allow programs with conditionally identical names to work.

Results

So, as you have noticed, you can make some software application anonymous without much difficulty. Of course, there are still quite advanced methods that allow you to more reliably hide any process, but they are based on writing complex codes and programming skills. If you don't have such complex goals in mind, then hiding running software applications by renaming them is a perfectly acceptable option.