Windows Processes

October 2016

Below is a brief description of all processes that appears under Windows Task Manager.


Csrss means Client Server Run-time Subsystem.
It is an essential subsystem that must operate continuously. Csrss manages applications consoles, the creation and destruction of threads and some parts of the environment for 16-bit virtual MS-DOS.


Explorer.exe is the Interface for Windows desktop, taskbar, etc ... This process is not vital for the system (you can absolutely stop to restart via the task manager - to open and then type explorer.exe) by against if you stop, beware, you n 'will have more than your screen.


Lsass.exe the server local security authentication found in the root of the process responsible for authenticating users of Winlogon service.
If authentication is successful, Lsass generates the token user access that is used by launching the initial shell.
Other processes that the user can launch will inherit this token.


This is the tasks scheduler responsible for launching tasks in a specific time that you choose.


Smss.exe is the sub-system management session (Session Manager Subsystem) responsible for launching user session.
This process is responsible of various activities including the launching of process Winlogon and Win32 (csrss.exe) and positioning system variables.
Once the process launched, it expects Winlogon or Csrss ends. If this occurs normally, the system stops.


Spoolsv.exe is the process responsible for managing print jobs and fax...


Svchost.exe is a generic process working as a host for other processes turning from Dlls, there may be several entries for this process.


The rtvscan.exe file runs the real-time scanning option of the Symantec Internet Security Suite and is responsible for detecting malicious code,viruses and other malware processes. When a new file enters the system, the rtvscan.exe file will automatically execute and scan the file, immediately notifying the user about any files it detects.It can also automatically clean the infected file.

Services.exe is the Service Control Manager (Service Control Manager) responsible for starting and stopping and the interaction with the system.


Most of the kernel-mode threads run as the System process.

System Idle Process

System Idle Process a single thread running on each processor, its only function is to manage the processor when the system does run any other thread.


Winlogon.exe is the process responsible for managing the opening and closing session. It is active only when the user presses CTRL + ALT + DEL, at this moment it displays the Security Council.


It is a core component of client management under Windows 2000 which initializes when the first client application connects.
It is the WMI service that allows timing resources on the memory, disk...

The above listed processes usually use a small part of memory usage. However if you see that it involves greater than usual. It may happen that your system has been visited by some viruses. You are therefore recommended to make a complete scan of your computer system.

Windows processes

Tasklist is the command line tool included with Windows.
Open a DOS window and type: tasklist to see the process list.
(Or: tasklist> liste.txt to get the output into a text file.)

tasklist / M will provide you the DLLs used by each process.
tasklist / SVC lets you know which service is present in every executable memory (if a service).

Process Explorer

Process Explorer displays a detailed list of the process and has many functions: see the complete command line that launched a service or an executable file, find the DLL / File / handles used by applications.

Related :

This document entitled « Windows Processes » from CCM ( is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.