IFSM 430 Lab exercise 6 What processes are running on XP and how did they start? Task Manager lists running processes, as we've seen. Most of them are part of Windows. Some are essential for operating the computer and can't be stopped (the system won't let you End Process them). Try to End Process winlogon.exe. What happens: __________________________ Some aren't of much use (in fact, have been called "parasites" by some) and can be terminated. mdm.exe is one such (it's for debugging), if its on your computer try to kill it. What happens:________________________ Some of the processes are important services like anti-virus. defwatch.exe and rtvscan.exe are part of Norton anti-virus. They can be terminated but probably shouldn't be. Some are maybe useful but not important, like DateManager.exe and PrecisionTime.exe. If those are on your system, End Process them. But they'll be back when you reboot. Places these processes get started from: 1. Start|Programs|Startup menu has some of them What is in this menu on your system: _______________________________ This menu data is actually from C:\Documents and Settings\student\Start Menu\Programs\Startup (substitute whatever username you're logged in as for 'stduent' on other systems). What's in that folder on your system: ______________________________ Adding and removing files and links in this folder affects what's in the Startup menu. 2. Registry: centralized configuration database of Windows. "The registry contains profiles for each user of the computer and information about system hardware, installed programs, and property settings. Windows continually references this information during its operation." Start|Run|regedit starts the registry editor. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to see more programs that are started at bootup. What are they: ________________________________________________ ________________________________________________ ________________________________________________ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices ________________________________________________ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Program installations add keys here. They can be manually deleted if necessary. 3. Services. Start|Programs|AdministrativeTools|Services or, if AdministrativeTools has not be added to the Programs menu: Start|Run|services.msc There's a lot of Started services. Most start Automatically at boot (or when needed?) Many of these are threads (a thread is a part of a process) of the processes we see in the process list like svchost.exe, lsass.exe and System. Double-click Machine Debug Manager. What is its service name: _____ Start it if its not already started. What appears in Task Manager's Process list: _____________ Now Stop it. Changing its Startup Type to Disabled would make it not automatically start at bootup. In your Task Manager, choose View|Select Columns and click on PID (Process Identifier). Notice each process in process list has a unique PID. What's the PID of System process: ______ With this and the netstat command we can match what process is listening on a port. Start the command line (Start|Run|cmd) and type: 'netstat -oa' What is the name of the process that is listening on the epmap port: ______ What is the name of the process that is listening on the 5000 port: ______ Do these appear safe (that is, do they appear to be system processes or unknown hacker installed back doors): ____________ You could correlate each listening port with a legitimate process or at least investigate each one that doesn't seem to be associated with a known system process. ******************************** Anti-virus software. We have Norton. Start it from the taskbar tray. What version of the Virus Definition File does your system have: __________ This contains the signatures of the known viruses. The trend has been for more frequent updates than in the past. How many items are in Quarantine: ______ (sort of a jail for infected files that can't get the virus removed from them) File|Virus List shows all the viruses that can be detected. How many:_____ Select VBS.LoveLetter.A(1). What is its Length:________, its Likelihood: ___________, a Characteristic: ___________ View|File System Real Time Scan Statistics shows the number of files scanned since it started: ___________ Any Infections: _______ Every file that is accessed from disk is automatically scanned. Open some random file (any file). How many files were scanned as part of this process: _______________ (Several files such as DLL files are part of the application that opens your chosen file, they are all accessed from disk and thus scanned along with your chosen data file). Scan|Scan Computer choose the F: drive and scan it. How many files are scanned in how much time: _____________________ Any viruses: _____ **************************** Remote control. XP Professional has Remote Desktop Connection. You allow remote connections to a computer by: right click My Computer icon, Properties, Remote tab, choosing Remote Connection (if permissions allowed user student to do so). Work with a partner, one machine log on to as class admin (I'll type the password) and allow remote connection. Then on the other computer do: Start|Programs|Accessories|Communications|Remote Desktop Connection log in as username student with password as the password. Convince yourself that the desktop is of that computer, not yours by right clicking My Computer, Properties, Computer Name to see what computer it is. Also the desktop is that of that computer. Bringing up Task Manager shows what you are running on that computer, not yours. The "taskbar" at the top of the screen can be minimized and you're back at your computer's desktop (you never left it of course). And in your desktop is the button to go back to the remote desktop. It's useful for remote diagnostics and to access all the data and software on that computer. It seems that either the computer is logged on to locally or logged on to remotely, not both simultaneously, and only one remote connection at a time.