Task manager 'User name' column empty

[MoodIndigo]

I've noticed in my task manger a few processes: "crss.exe, HControl.exe, ATI...exe, winlogon.exe" have blank values in the 'user name' column whereas everything else has my name.

If I click 'show processes from all users' the blanks are replaced with 'SYSTEM.'

Could someone explain why this is so?

Thanks :)

[Colin-uk Veteran]

Those processes are run under the system account (theyre started by windows itself).

[Singh400]

It is because when you click "Show processes from all users", you re-launch taskmgr.exe with administrator privileges. Thus it has access to all parts of the system (ie crictial services) that allow you to see the username column fully.

[hdood]

  On 09/03/2010 at 09:38, Singh400 said:

It is because when you click "Show processes from all users", you re-launch taskmgr.exe with administrator privileges. Thus it has access to all parts of the system (ie crictial services) that allow you to see the username column fully.

On an unrelated rant, this is pretty important to understand. Task Manager is a regular program with no special privileges. When you run it, it runs as your user just as any other random program. If you click "show processes from all users", it runs just like any other program you've run as administrator.

This also means that any other programs running (malware included) is free to manipulate it in any way they want. The result of this is that you cannot trust Task Manager when it comes to things like finding malware. Anything that is running could simple remove itself from the list.

[MoodIndigo]

  On 09/03/2010 at 09:46, hdood said:

On an unrelated rant, this is pretty important to understand. Task Manager is a regular program with no special privileges. When you run it, it runs as your user just as any other random program. If you click "show processes from all users", it runs just like any other program you've run as administrator.

This also means that any other programs running (malware included) is free to manipulate it in any way they want. The result of this is that you cannot trust Task Manager when it comes to things like finding malware. Anything that is running could simple remove itself from the list.

Can malware also manipulate antivirus programs like NOD32 or are there preventative safeguards in place?

If I cannot trust task manager (which I have done) then what can I trust? NOD32 scans; Hjackthis, other antivirus scans?

[hdood]

  On 09/03/2010 at 10:45, MoodIndigo said:

Can malware also manipulate antivirus programs like NOD32 or are there preventative safeguards in place?

Yes, and this is commonly done by malware. Like you say, antivirus software is designed specifically with this in mind and do what they can to prevent it, meaning it becomes a sort of cat and mouse game. Task Manager on the other hand makes no effort.

  On 09/03/2010 at 10:45, MoodIndigo said:

If I cannot trust task manager (which I have done) then what can I trust? NOD32 scans; Hjackthis, other antivirus scans?

Well, generally speaking you cannot trust anything on the system at all. If the malware has administrative rights, then it can do absolutely anything it wants to any part of the system, including patching the kernel itself. From a security aspect, there is no way to restore a compromised system to a trusted state without reinstalling.

Realistically though, you usually can trust a command line tool like "tasklist/v" because most people don't even know it exists, and most malware isn't that sophisticated.

[soldier1st]

  On 09/03/2010 at 10:59, hdood said:

Yes, and this is commonly done by malware. Like you say, antivirus software is designed specifically with this in mind and do what they can to prevent it, meaning it becomes a sort of cat and mouse game. Task Manager on the other hand makes no effort.

Well, generally speaking you cannot trust anything on the system at all. If the malware has administrative rights, then it can do absolutely anything it wants to any part of the system, including patching the kernel itself. From a security aspect, there is no way to restore a compromised system to a trusted state without reinstalling.

Realistically though, you usually can trust a command line tool like "tasklist/v" because most people don't even know it exists, and most malware isn't that sophisticated.

actually you can trust the system that was compromised just you would need to be aware of what is going on so you can try to spot something wrong and go through everything to make sure all is right.

[hdood]

  On 11/03/2010 at 05:40, soldier1st said:

actually you can trust the system that was compromised just you would need to be aware of what is going on so you can try to spot something wrong and go through everything to make sure all is right.

This isn't practically possible.