Default Processes in Windows 2000 (Q263201)

• Microsoft Windows 2000 , Professional

SUMMARY

This article describes the processes which run by default in Microsoft Windows 2000. These processes can be viewed using Task Manager.

MORE INFORMATION

Csrss.exe - You cannot end this process from Task Manager.

• This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

• This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.

• Internat.exe runs at startup; it loads the different input locales specified by the user. The locales to be loaded are taken from the following registry key:

  HKEY_USERS\.DEFAULT\Keyboard Layout\Preload

  Internat.exe loads the "EN" icon into the system tray, allowing the user to easily switch between locales. This icon disappears when the process is stopped, but the locales can still be changed through Control Panel.

• This is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

• This is the task scheduler service, responsible for running tasks at a time predetermined by the user.

• This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

• The spooler service is responsible for managing spooled print/fax jobs.

• This is a generic process, which acts as a host for other processes running from DLLs; therefore, don't be surprised to see more than one entry for this process. To see what processes are using Svchost.exe, use Tlist.exe from the Windows 2000 CD-ROM; the syntax is tlist -s at the command prompt.
  
  For more information, see the following article:
  
  

  Q250320 Description Of Svchost.exe

• This is the Services Control Manager, which is responsible for starting, stopping, and interacting with system services.

• Most system kernel-mode threads run as the System process.

• This process is a single thread running on each processor, which has the sole task of accounting for processor time when the system isn't processing other threads. In Task Manager, expect this process to account for the majority of processor time.

• This is the process for Task Manager itself.

• This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.

• Winmgmt.exe is a core component of client management in Windows 2000. This process initializes when the first client application connects or continuously when management applications request its services.

COMMENTS?