If you fire up Taskmgr or Process Viewer on any Windows 2000 or Windows Server 2003 system, you will see a core set of processes. These processes run by default on any system and handle things such as logons, managing certain services, and controlling the Windows shell. The complete list of these processes is in Table E-1.
Table E-1. Default Windows processes
Process name | Purpose |
---|
Csrss.exe | An essential subsystem that is responsible for managing console windows, user-mode threads, and some parts of the 16-bit virtual MS-DOS environment. Csrss stands for client/server run-time subsystem. |
Explorer.exe | Responsible for the user shell. If you've ever experienced the Start menu, taskbar, or Windows Explorer freezing up, terminating and restarting this process can help. |
Lsass.exe | Responsible for authenticating users and issuing the access token associated with each user session. |
Mstask.exe | Corresponds to the Task Scheduler service and is responsible for running scheduled tasks. |
Services.exe | Service Control Manager (SCM), which is responsible for handling service management requests such as start, stop, and pause. |
Smss.exe | Session Manager, which is the first user-mode process to run after a system starts up. The kernel starts this process, which in turn, starts other user-mode processes, such as csrss.exe and winlogon.exe. |
Spoolsv.exe | Responsible for spooling print and fax jobs. |
Svchost.exe | Started by any service that is run from a dynamic link library. See MS KB 250320 for more information on how to locate services that use this process. |
System | Handles all kernel mode threads. |
System Idle Process | Single-threaded process that accounts for unused processor time. In Taskmgr, this process will show up using all unused processor time. On a lightly loaded server, it can use as much as 99% of the CPU. |
Winlogon.exe | Handles logon and logoff requests by users. |
Winmgmt.exe | A Windows 2000-only process that is responsible for loading all WMI providers. It is responsible for managing all WMI requests and responses from client computers. If any WMI provider fails, it causes all WMI providers to become unavailable. |
Wmiprvse.exe | In Windows Server 2003, the winmgmt.exe process was replaced with this. Instead of all WMI providers being loaded by a single process, a separate instances of wmiprvse.exe is spawned for each active provider. Thus, if a single provider fails, only that provider is affected. |