I was talking with my nephew the other day - about a subject totally unrelated to computers - but he asked a very interesting question during our discussion.
How do I know what's bad if I don't know what's good?
What a great question! Especially when you're dealing with complex attack techniques in today's world. If you're trying to figure out if you've been compromised, then you'd better know what should be there. That way, you know when something out of the ordinary shows up.
For the next few posts, I'm going to talk about several Windows processes and what you should know about them.
Today, let's talk about services.exe. Also known as the Service Control Manager.
What is it? Where should it be? How many instances should I see running in task manager? Most importantly, is services.exe safe?
What is it: Services.exe is designed to start and stop Windows system processes as well as handle scheduled tasks. It also launches the Service Control Manager (SCM), which runs at system startup, and loads services and device drives marked for auto-start. It also maintains the database of installed services, locking and unlocking the service database and sends request to the running services.
If you're familiar with the Last Known Good control set, SCM (services.exe) is the process that gives the thumbs to whether a user has successfully logged on interactively.
Where should it be: %systemroot\system32\services.exe
How many should there be when I open up task manager: One.
Parent process: wininit.exe
So the final verdict on the safety of services.exe? If there is only one process running and it located in %systemroot\system32\services.exe, you should be good.
