Lsass.exe, cidaemon,exe: Invisible Threats or Legitimate Processes?

10 Most Common Processes Running on PCs

Question: With over 30 processes running on your PC at any one time, how do you distinguish between legitimate tasks being performed for the stability of your system and malicious code aiming to compromise security?

Since we launched this section on our website we have received a good number of emails asking us which, in our experience are the ten most common processes running on computers. I've taken the liberty to answer you all through this article and, I've also written an article about the latest top 5 security threats (read "Top 5 Common Security Threats").

While you are reading this article, your computer is most definitely running lsass.exe, several instances of svchost.exe, and alg.exe. Are these invisible threats or legitimate processes? They're legitimate all right but, in some instances, there are serious security breaches that disguise themselves as legitimate processes. Well, here goes our top ten - you'll find the full descriptions on processlibrary.com:

  • LSASS.EXE:
    Process Name: Local Security Authority Service
    Process Description: lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. Again, lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR, Nimos.worm which spread via floppy disk drives, mass-mailing and peer-to-peer sharing.
  • ALG.EXE:
    Process Name: Application Layer Gateway Service
    Process Description: alg.exe is a part of the Microsoft Windows operating system. It is a core process for Microsoft Windows Internet Connection sharing and Internet connection firewall. This program is important for the stable and secure running of your computer and should not be terminated
  • SVCHOST.EXE:
    Process Name: Microsoft Service Host Process
    Process Description: svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. It should be noted that svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To determine whether the process is legitimate or not, review file path and make sure it is not in your system folder. If it is it is ok, if not then this is a registered security risk and should be removed immediately.
  • CSRSS.EXE:
    Process Name: Microsoft Client/Server Runtime Server Subsystem
    Process Description: csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated. csrss.exe is also process which is registered as the W32.Netsky.AB@mm worm, the W32.Webus Trojan, Win32.Ladex.a and more. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it's hostile attachment. The worm has it's own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
  • SMSS.EXE:
    Process Name: Session Manager Subsystem
    Process Description: smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated. Note: smss.exe is also a process which is registered as the Win32.Ladex.a Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
  • SCVHOST.EXE
    Process Name: W32/Agobot-S virus
    Process Description: scvhost.exe is a process which is registered as the W32/Agobot-S virus. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
  • WDFMGR.EXE:
    Process Name: Windows Driver Foundation Manager
    Process Description: wdfmgr.exe is part of Microsoft Windows media player 10 and above. This process decreases compatibility problems whilst the product is in use. This program is non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems.
  • CTFMON.EXE:
    Process Name: Alternative User Input Services
    Process Description: ctfmon.exe is a part of the Microsoft Office suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.
  • SERVICES.EXE:
    Process Name: Windows Service Controller
    Process Description: services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of servicse during shut-down. This program is important for the stable and secure running of your computer and should not be terminated. Note: services.exe is also a process which is registered as the W32.Randex.R (stored in %systemroot%\system32\ directory) and Sober.P (stored in %systemroot%\Connection Wizard\Status\ directory) Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
  • SPOOLSV.EXE:
    Process Name: Microsoft Printer Spooler Service
    Process Description: spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers. Note: spoolsv.exe is also a process which is registered as the Backdoor.Ciadoor.B Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

What's cidaemon.exe? Well, you know what you have to do!

Experience Uniblue products

Click here to run a demonstration of:

RegistryBooster 2 - Clean, repair, and optimize your system.
SpeedUpMyPC 3 - Maximise system performance.
SpyEraser 2 - Protect your PC against privacy threats.



Newsletter Signup    |    Contact Us    |    Privacy Policy    |    Site Map

Copyright © Uniblue Systems Limited 2007. All rights reserved.