Common Windows Processes

Note: For my own sanity, these processes are listed categorically, not alphabetically. If you're looking for a specific item, use your browser's search function (CTRL + F).

Required XP Processes

These are the processes that must be running for Windows to function properly. Killing any of these will stop Windows from working correctly. Any other process is fair game, however.

• explorer.exe (not to be confused with Internet Explorer's iexplore.exe)
• csrss.exe
• lsass.exe
• services.exe
• smss.exe
• winlogon.exe
• alg.exe (added in Service Pack 2)
• svchost.exe (depending on your configuration, your computer may have between 4 and 6 copies of this running at the same time)

Direct link

Benign Processes

These technically aren't "vital" processes but don't worry about killing them while cleaning out your machine unless you're desperate for free RAM.

NOTE1: This page is indebted to Black Viper (used to be at http://www.blackviper.com. See a mirror at http://www.dead-eye.net/WinXP%20Services.htm) for much of its information.
NOTE2: If something isn't listed here, try this site.
NOTE3: autorunsc.exe, found in the Misc Utilities folder on ITS-STU, can also be useful in identifying suspicious processes.

Worthless processes are colored teal, while universally important processes are colored orange. The rest are tossups based on your personal preferences.

• ctfmon.exe - This is the Language Bar, which is used for displaying non-standard character sets (e.g. Chinese, Korean, Arabic). If you don't use it, you can disable this RAM-sink by going to Control Panel -> Regional and Language Options -> Languages TAB -> Details BUTTON -> Language Bar BUTTON (under "Preferences") -> select the "Turn off advanced text services" check box.
• dxdiag.exe - Technically, a diagnostic tool for DirectX, Microsoft's 3D graphics library. However, if you're seeing this pop up a lot, it's probably the Feardoor trojan.
• mdm.exe - The Machine Debug Manager for Microsoft's Visual Studio and some portions of MS Office. Pointless unless you're doing debugging, but perfectly safe.
• MsPMSPSv.exe - A Digital Rights Management-related process that gets installed with Windows Media Player 7. Like many things Microsoft-related, doesn't really do much besides use up ~1.2MB of RAM. Can be disabled as a service (under the name WMDM PMSP Service), or completely unistalled by typing the following into a command prompt: mspmspsv -u
• rundll.exe - This is a valid system process for Windows 95, 98, and ME, but if found in 2000 or XP it's a virus (most likely Agobot.)
• rundll32.exe - The Windows 2000/XP version of the above and is safe as long as it's located in the C:\WINDOWS\System32 folder. If not, it's a virus.
• spoolsv.exe - Windows uses this process to send documents to your printer.
• wdfmgr.exe - "Windows User Mode Drive Manager:" comes with Windows Media Player 10, and is supposed to help with compatibility issues. Safe, but if the Media Player is freezing try killing it, that sometimes jump-starts things.
• WMIPrvSe.exe - A system process that some programs (frequently drivers) require to run. It is common for this process to appear one day and never go away (probably because you installed something that always needs to use it.) Watch out for the imposter wmiprvsw.exe, which is a virus.
• wscntfy.exe - A Microsoft process for checking for updates for various pieces of software you own. Sounds important, but is actually pretty useless.
• wowexec.exe - "Windows on Windows Execution," allows you to run 16-bit (read: older) applications. May pop up even when you aren't running a 16-bit application, as Windows may be trying to use a really old driver or other hocus-pocus.
• wuauclt.exe - Normally, the Windows updater. This is the thing that pops up the annoying "Updates are available for download" speech bubbles. NOTE: When not stored in the C:\WINDOWS\System32 folder this program is actually a virus! If this process never goes away, start getting suspicous...

• IEXPLORE.EXE - Microsoft's Internet Explorer (Note: this might be malicious if you have a virus).
• mozilla.exe - The Mozilla web browser. Pre-cursor to Mozilla Firefox.
• firefox.exe - The Mozilla Firefox web browser.
• msnmsgr.exe - Microsoft's MSN Messenger. Auto-startup can be disabled in its preferences.

• acrotray.exe - A printing-related process that the full version of Adobe Acrobat uses.
• iPodManager.exe - What it says--this program is legit (although superfluous if you don't own an iPod.)
• iTunesHelper.exe - Is usually always running in the background, helps iTunes do various things like starting up faster, managing your media library, and listening for when you connect your iPod. Keep it around if you want iTunes to stay happy.
• jusched.exe - A process that periodically checks for updates for your version of the Java Virtual Machine (the thing that allows you to run programs written in the Java programming language). This is usually a worthwhile investment of resources.
• kdb.exe - This is supposed to be a KSQL server- and database-related process, but I've seen it on a few personal machines for some reason. May or may not be a rat.
• keyacc32.exe - This is the Pomona keyserver verification program. It is required to use keyserved programs like Photoshop.
• realsched.exe - While it's tempting to put RealPlayer in with the rest of the undesirable programs, its main problem is poorly-written code and the occassional ad. This is some obnoxious updating program that is probably necessary for RealPlayer to run...although uninstalling it will fix that problem...
• sgtray.exe - "Storage Guard," by Veritas Software. This process periodically reminds you to back up your files.
• StarWindService.exe - Part of the disk emulation driver for Alcohol 120%. Necessary for the program to work correctly.
• qttask.exe - The system tray icon for Apple's Quicktime media player. Can be disabled in Quicktime's preferences to free up RAM.
• ViewMgr.exe - This is part of the Viewpoint media player. It probably snuck onto your machine when you installed AOL Instant Messenger, which has been quietly bundling it in for quite some time now. The program isn't malicious, but it's also fairly worthless since it doesn't play anything anyone really cares about. You can uninstall it fairly easily by going to Control Panel > Add/Remove Programs. Make sure you blow away both the media player and the manager.

• devldr32.exe - If you have a sound card made by Creative Labs, you probably have this running. It's just a driver, you can ignore it.
• CCAPP.EXE - A service related to some Creative Sound Blaster! sound cards.
• CCEVTMGR.EXE - A service related to some Creative Sound Blaster! sound cards.
• CCSETMGR.EXE - A service related to some Creative Sound Blaster! sound cards.
• CTDVDDET.EXE - A service related to some Creative Sound Blaster! sound cards.
• CTHELPER.EXE - A service related to some Creative Sound Blaster! sound cards.
• CTSSVCCDA.EXE - A service related to some Creative Sound Blaster! sound cards.

• CLI.exe - A system tray icon for newer versions of the ATI drivers.
• Ati2evxx.exe - The "ATI Hotkey Poller," a fairly useless but harmless bit of functionality that's part of the driver bundle for ATI video cards and chipsets.
• atievxx.exe - An older version of the above.
• ati2sgag.exe - Another piece of the ATI driver, named "ATI Smart." Mostly useless but harmless.
• atiptaxx.exe - An older version of CLI.exe.

• nvsvc32.exe - A driver for nVidia video cards.

• hpwuSchd.exe - A Hewlett-Packard driver of some kind.
• hpsysdrv.exe - A Hewlett-Packard driver of some kind.
• hpotdd01.exe - A Hewlett-Packard driver of some kind.
• hpcmpmgr.exe - A Hewlett-Packard driver of some kind.
• hpmon05.exe - A Hewlett-Packard driver of some kind.

• McShield.exe - This and the following are part of McAfee AntiVirus and are required for it to function properly.
• McVSEscn.exe - McAfee
• mcvsrte.exe - McAfee
• mcvsshld.exe - McAfee
• mcagent.exe - McAfee
• FrameworkService.exe - Part of the corporate version of McAfee.
• naPrdMgr.exe - Part of the corporate version of McAfee.
• VsTskMgr.exe - Part of the corporate version of McAfee.

• navapsvc.exe - This and the following are parts of various versions of Norton's AntiVirus program and are required for it to function properly.
• rtvscan.exe - Norton
• Navapw32.exe - Norton
• vptray.exe - Norton
• cfgwin.exe - Norton (some versions)
• defwatch.exe - Norton (some versions)
• symwsc.exe - Norton

• avgamsvr.exe - Part of AVG AntiVirus (Free Edition).
• avgcc.exe - Part of AVG AntiVirus (Free Edition).
• avgemc.exe - Part of AVG AntiVirus (Free Edition).
• avgupsvc.exe - Part of AVG AntiVirus (Free Edition).

Malicious and/or Otherwise Undesirable Processes

• Gain.exe - A very bad form of adware/spyware/demon. Blame Gator Corp. Claria, source of all things evil.
• rundll.exe - This is a valid system process for Windows 95, 98, and ME, but if found in 2000 or XP it's a virus (most likely Agobot.)
• rundll32.exe - The Windows 2000/XP version of the above and is safe as long as it's located in the C:\WINDOWS\System32 folder. If not, it's a virus.
• wmiprvsw.exe - The Sasser worm. Tries to look like the valid wmiprvse.exe Windows process.
• wuauclt.exe - Normally, the Windows updater. This is the thing that pops up the annoying "Updates are available for download" speech bubbles. NOTE: When not stored in the C:\WINDOWS\System32 folder this program is actually a virus! If this process never goes away, start getting suspicious...
• main screen turn on

Direct link