How can I tell from where an EXE file is being run?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Summary: Malware authors often attempt to hide their work by giving them the same name as system process. The difference comes down to location.

I am just about fed up with Windows Vista running so much stuff in the background that I don't understand. I've become obsessed with checking out what processes are running and then Googling them. The problem is most sites then tell me it's a legit MS program - often described as being important for stability - then in the next paragraph they say that the same exe file is a registered Trojan or virus.

The latest was 'csrss.exe' (two at the same time). When I looked it up it was explained it should be in the system 32 folder, but I have one in there and another somewhere else that I can't find - task manager will not show the file location for either!

I can certainly sympathize with Windows Vista's complexity. This isn't a simple operating system any more, and it's not something that can be "pared down" to just a couple of running programs. Vista will always have lots of processes running. It's not a good thing, it's not a bad thing, it's just a thing ... a reflection of a large and complex operating system that's trying to do a lot.

But the point you raise is a good one. Virus writers often try to obfuscate what they're about by naming their virus files the same as system executables. As you've seen, csrss.exe in one place is critical to system operation, and yet csrss.exe run from some other place is most likely a virus.

How do you know which is which?

•

First and foremost, for most people, the correct answer is that you should never need to know. This is something that your anti-virus and anti-spyware software should be taking care of for you. Good anti-malware software will either eliminate the "bad versions" of malware trying to masquerade as something else, or at a minimum warn you. The key is twofold:

Make sure that both the anti-virus and anti-spyware programs are up to date
Make sure that both the anti-virus and anti-spyware databases are up to date - most will update automatically, so you need to make sure that this is happening, and happening daily.

"I never use Task Manager anymore ..."

Now, for the rest of us who want to know what the heck is going on...

As you point out, Task Manager will show you that multiple copies of something called "csrss.exe" may be running, but it won't tell you where they reside.

Enter Process Explorer. This is a free download I've often referred to as "Task Manager on steroids". I never use Task Manager anymore, just procexp.

After running process explorer, simply hovering the mouse over the item we care about gives us that key bit of information:

Process Explorer showing location of csrss.exe

Here you can see that on my machine csrss.exe is running from c:\windows\system32 - exactly where it should be.

There's more information available, though. Right click on the item, and click on Properties to get this:

Process Explorer showing properties of csrss.exe

The properties dialog contains a whole host of information about any running process. In this "Image" tab you can see not only the location of the executable being run, but also any command line parameters that might have been passed, its current working directory and more. The other tabs show even more information.

Of particular note, are processes that provide Windows Services. If I right click on one of the instances of "svchost.exe", click on Properties and then the Services tab, I get this:

Svchost.exe services list

As I've discussed in other articles, svchost is the "Service Host" executable - it acts as a "host" within which other services can run. You'll often find multiple copies of it running on your machine, and each one may be host to one or more Windows system services. Here you can see that this particular copy of svchost is running many services on my machine.

Since there are already multiple copies of svchost.exe running, it's a common target for malware authors to "slip in another one" that might run from a different location in the hopes that you won't notice. If you suspect a problem, svchost.exe is just like csrss.exe - it should be running from c:\windows\system32 and nowhere else.

Related:

Viruses: How do I keep myself safe from Viruses? Computer viruses are a fact of modern connected life. Anti-virus software is required, and both it and the database it uses should be kept up-to-date.
What is svchost, and why is there more than one copy running? Svchost is a component of Windows. It can be confusing because more than one copy is running, and it often shows up in errors caused by viruses.
Where is it alright for svchost.exe to be? Svchost.exe is frequently spoofed by viruses attempting to hide. The official copy should be in your Windows\system32 folder, but there may be others.

Article C3476 - August 20, 2008

Recent Comments

5 Comments

I also found system explorer to be a useful utility.

Posted by: Rohit at August 20, 2008 1:22 PM

And just for reference, a great place to look up Window's processes is: www.processlibrary.com

Posted by: John at August 21, 2008 7:38 AM

Leo,

Excellent article. I've been looking for a good replacement for Task Manager. Thank you very much!

Posted by: Mike at August 26, 2008 8:07 AM

A good article Leo.
Another good program to look at is Autoruns, it shows ALL running processes, you have the option of terminating temporarily or permanently.
Try it,it's FREE.

Autoruns does not show you what's running now. It shows you what runs automatically at boot, login and other times. But for example if those programs run automatically and then exit (as some do), they will be listed in autoruns, but they will not actually be running at the time you look.

Different (and very good) tool, but for a different purpose.

-Leo

Posted by: Chris Faulkner at August 27, 2008 4:54 AM

What is the defference between whats running and process explorer programs looks like about the same

Posted by: Robert at August 27, 2008 10:32 AM

Post a comment on "How can I tell from where an EXE file is being run?":

Name: (Required) Email Address: (Required) (Email Address will not be published.) Remember Me? YesNo	By popular demand... my tip jar Buy Leo a Latte!
Comments: (you may use HTML tags for style)	Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...