Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How can I tell from where an EXE file is being run?

Question:

I am just about fed up with Windows Vista running so much stuff in
the background that I don’t understand. I’ve become obsessed with
checking out what processes are running and then Googling them. The
problem is most sites then tell me it’s a legit MS program – often
described as being important for stability – then in the next paragraph
they say that the same exe file is a registered Trojan or virus.

The latest was ‘csrss.exe’ (two at the same time). When I looked it
up it was explained it should be in the system 32 folder, but I have
one in there and another somewhere else that I can’t find – task
manager will not show the file location for either!

I can certainly sympathize with Windows Vista’s complexity. This
isn’t a simple operating system any more, and it’s not something that
can be “pared down” to just a couple of running programs. Vista will
always have lots of processes running. It’s not a good thing, it’s not
a bad thing, it’s just a thing … a reflection of a large and complex
operating system that’s trying to do a lot.

But the point you raise is a good one. Virus writers often try to
obfuscate what they’re about by naming their virus files the same as
system executables. As you’ve seen, csrss.exe in one place is critical
to system operation, and yet csrss.exe run from some other place is
most likely a virus.

How do you know which is which?

Become a Patron of Ask Leo! and go ad-free!

First and foremost, for most people, the correct answer is that you
should never need to know. This is something that your anti-virus and
anti-spyware software should be taking care of for you. Good
anti-malware software will either eliminate the “bad versions” of
malware trying to masquerade as something else, or at a minimum warn
you. The key is twofold:

  • Make sure that both the anti-virus and anti-spyware
    programs are up to date

  • Make sure that both the anti-virus and anti-spyware
    databases are up to date – most will update automatically, so
    you need to make sure that this is happening, and happening daily.

“I never use Task Manager anymore …”

Now, for the rest of us who want to know what the heck is going
on…

As you point out, Task Manager will show you that multiple copies of
something called “csrss.exe” may be running, but it won’t tell you
where they reside.

Enter Process Explorer.
This is a free download I’ve often referred to as “Task Manager on
steroids”. I never use Task Manager anymore, just procexp.

After running process explorer, simply hovering the mouse over the
item we care about gives us that key bit of information:

Process Explorer showing location of csrss.exe

Here you can see that on my machine csrss.exe is running from
c:\windows\system32 – exactly where it should be.

There’s more information available, though. Right click on the item,
and click on Properties to get this:

Process Explorer showing properties of csrss.exe

The properties dialog contains a whole host of information about any
running process. In this “Image” tab you can see not only the location
of the executable being run, but also any command line parameters that
might have been passed, its current working directory and more. The
other tabs show even more information.

Of particular note, are processes that provide Windows Services. If I
right click on one of the instances of “svchost.exe”, click on
Properties and then the Services tab,
I get this:

Svchost.exe services list

As I’ve discussed in other articles, svchost is the “Service Host”
executable – it acts as a “host” within which other services can run.
You’ll often find multiple copies of it running on your machine, and
each one may be host to one or more Windows system services. Here you
can see that this particular copy of svchost is running many services
on my machine.

Since there are already multiple copies of svchost.exe running, it’s
a common target for malware authors to “slip in another one” that might
run from a different location in the hopes that you won’t notice. If
you suspect a problem, svchost.exe is just like csrss.exe – it should
be running from c:\windows\system32 and nowhere else.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

7 comments on “How can I tell from where an EXE file is being run?”

  1. A good article Leo.
    Another good program to look at is Autoruns, it shows ALL running processes, you have the option of terminating temporarily or permanently.
    Try it,it’s FREE.

    Autoruns does not show you what’s running now. It shows you what runs automatically at boot, login and other times. But for example if those programs run automatically and then exit (as some do), they will be listed in autoruns, but they will not actually be running at the time you look.

    Different (and very good) tool, but for a different purpose.

    -Leo

    Reply
  2. Hi Leo, great site. Here’s a question I CANT find an answer to anywhere:

    In windows, and specifically in Vista, could malware run through the taxi svchost.exe, INSIDE the system32 folder?

    For instance, is it not possible that executed malware, in the form of injected code, could edit say a trojan to run from your system32 folder under the system taxi svchost.exe? Or better yet, list itself there as a regular service like: Dhcp, DHCP Client? HOW do i check where DHCP client is?

    And if svchost.exe connects to the net, with an illegitimate service running from the system32 folder, what then? how do you check each instance of svchost.exe’s connection, with only knowing it is svchost.exe connecting from the system32 folder? If you cannot, this would be a great taxi for more then windows services.

    As much as i search, i find no answer to this question, and only hints that it is possible. Hopefully you can shed some light on the situation, thanks!

    Chris

    I’m not really sure what you mean by “taxi”, that’s a term I’ve not heard used in this context. Could SVCHOST be used to run malicious code? Absolutely. What then? Same as any other virus, you take steps to eradicate it as best you can. Normally there’s an additional file that contains the malware and scanners would look for and remove that. However prevention remains the best approach by far.

    Leo
    07-Sep-2009
    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.