SOLUTIONS SECURITY WATCH
Troubleshoot Like a Pro Rarely does a call to tech support “teach a man to fish.” Heck, often enough, you don’t even get a fish out of it. Why not learn to be your own support tech? By Matthew D. Sarrel It happens to hundreds of people every day. You’re at your PC, and seemingly without any cause, it slows to the point of being unusable. Maybe the hard drive light is lit constantly, maybe not. You reboot and the same thing happens. What could it be? Many users, at this point, make the dreaded phone call to tech support and inevitably get sucked into the blame game miasma. Microsoft says it’s a conflict with Symantec; Symantec says it’s a hardware issue and to call Dell; Dell says to call Microsoft. And all of them ask the same questions: Is the PC plugged in? Did you reboot? Have you logged in successfully? Did you boot in safe mode? Fortunately, there’s a solution: a free utility by Sysinternals called Process Explorer (technet.microsoft.com/en-us/sysinternals/ bb896653.aspx) that’s extremely helpful. Think of it as a pumped-up Windows Task Manager, examining processes to see which are stealing CPU cycles and detecting which process has which file open. It also tells you about the process chain, or which processes depend on each other to run. Process Explorer is made up of two windows. The top window shows a list of currently active processes, their dependencies, properties, CPU history, and memory usage. The bottom window provides more information about a selected process or search results. Once you get familiar with Process Explorer, it will be much easier to figure out what’s happening on your Windows PC. It won’t fix errors on its own, but it will point you in the right direction. Tips for Using Process Explorer 1. Sort by CPU usage to identify processes that may be misbehaving. You can dig down to individual threads to try to figure out why the process has become a hog. You can also suspend a process to judge whether it is the culprit. If it isn’t, resume the process and keep looking. 2. Get to know what is running on your PC. The first time you launch Process Explorer, click View, then Select Columns, and make sure that Process Name and 82 PC MAGAZINE JANUARY 2009
PROCESS EXPLORER The top window of Process Explorer shows a list of currently active processes, their dependencies, properties, CPU history, and memory usage.
Description are checked, then check the radio boxes to add Company Name and Command Line. Click the DLL tab next and check Path; then select the Process Memory tab and check Working Set Size before clicking OK. To configure the lower pane, click View and make sure that Show Lower Pane is checked; then mouse over Lower Pane View and select DLLs. 3. The following are not suspicious and should be ignored: smss.exe, winlogon.exe, services.exe, alg.exe, and lsass.exe. These, however, are suspicious: • Any process running from a temporary directory (shown in the Command Line column) such as C:\Temp or C:\Windows\Temp, or a running process referencing a DLL in a temp directory. • Processes with nonsensical names. This is not always a helpful guideline, but if anything looks out of the ordinary (and only your experience can guide you), then you should look into it. For example, ubyw.exe (a Trojan downloader) seems a little nonsensical to me, as does ehcftwk .exe—which seems especially suspicious because it was spawned by kwtfche.exe, aka CommonName. (CommonName is a spyware program that assigns random names to the EXE files it deploys, which is why you won’t find their names or advice for dealing with them via a Web search.) • Processes that are typically not bad
but can be used as a launchpad by malware. For example, processes such as svchost .exe and rundll32.exe can be used to load other processes. You can follow this chain by looking at the Command Line column to determine the exact application that is using these libraries to load. Anything suspiciously named or located in a temp directory warrants further analysis. 4. Look at all the other applications. Everything should have a description, a company name, and a command line entry, and should make some sense. For example, Winword.exe is made by Microsoft Corp. and runs in C:\Program Files\Microsoft Office\Office 12\WINWORD.EXE. 5. Right-click on any suspicious entries and choose Properties. Does anything there look familiar or provide some key to what the process does? 6. If you still think it’s suspicious, right-click and select Search Online. You can identify many threats directly from this search, and it’s also a good way to find removal applications or information. 7. You can also right-click (unless it’s a system-critical process, as mentioned above) and select Suspend. If it does suspend, that’s good. If not, you may be onto something. Right-click again and select Kill Process Tree and then Kill Process. Associated processes should turn red and die. You may have to repeat these steps. Q
