Computer security has been lingering around Laojiao's problem. Because of the computer contact, there have been many times because the computer poisoning can't be turned on. Therefore, for a rookie like him, the discrimination between viruses and Trojans is very difficult. In fact, as far as the current virus is concerned, no matter what means is used to hide it, it will eventually enter the system in the form of process or service. Therefore, how to find the problem process or service becomes the key to finding the virus. Faced with so many system processes and services, how can Lao Zhang find the problem effectively? Lao Zhang’s son introduced him to the following tricks. Even if it is a rookie, you only need to learn to look at "yan"view"color", and you can easily solve the problem. The first trick: simple view, find clues Security Process Explore is a process view tool, compared with Windows' own task manager, its biggest feature is to mark the process of the color. Pure green means very safe, pure red means extremely dangerous, while green with red means there is a safety risk, the longer the red color block, the greater the risk. If the security level is blank, it means that the security cannot be judged temporarily. Of course, judging whether the process has a problem is not enough to explain the problem, because some viruses will adopt the method of injecting into the normal process, which can be judged by viewing more detailed process information. Just select the suspicious process, right click and select “Details”, in the open window you can see the process name, ID, priority, company name and other information, click “ used module & rdquo; The tag can also see the DLL file it calls, etc. (SecurityProcessExplorer01.jpg), in order to further identify the process and find the suspicious process. For suspicious processes, you can add the process to the blocked list and terminate it by clicking the “mask process” button in the window. The blocked process is generally difficult to start again. For unfamiliar processes, in addition to directly shielding them, they can also resort to the network to understand the relevant information to determine the security of the process. After clicking on the relevant process, click the “More Information” link at the bottom of the window, and then an English webpage will be automatically opened, which is the official website of the software company. You can see the user's evaluation of the process. It doesn't matter if you don't understand E. Just click the "Translate" button on your browser to call Google for translation. The translation is quite good. The second measure: the industry specialization, svchost process smart identification I believe that when you open the task manager, you will see multiple svchost.exe process. So what are these svchost.exe processes doing? Why is it different from other processes, there will be more than one? In fact, svchost.exe is a system program belonging to the Microsoft Windows operating system. It is used to execute DLL files. The system services are run by it. For this reason, there are many viruses that also like to pretend to be the svchost.exe process. How do we identify what each svchost.exe process does? Which of the multiple svchost.exes appearing in the system is safe and which one is not safe? Here I introduce two small softwares specifically for svchost.exe, so that you can learn to see the flowers in the fog and see it clearly. 1.svchost process analyzer Svchost Process AnalyzerSvchost Process Analyzer is a svchost process analysis program used to display the detailed information of the svchost process running on the Windows operating system. First open the browser at http://upload.cfan.com.cn/2014/1126/1416964313662.jpg). If you want to know more detailed content, you can click the “Details” button, and the detailed svchost process will be displayed with different identifiers. The red one is problematic and needs to be checked for security. If the user is largely unaware of their security, they can be detected by downloading the Security Task Manager task management software exported by the company. The green representative is Microsoft's own program, and the yellow one represents the non-Microsoft company's process, but it is still safe. There are also some gray flags, which means that they are not activated. You can click the gray button to check the specific process status. The SPA also identifies the process in which it is safe or not. Through the basic judgment of the SPA, we can perform some processing on the process identified as unsafe to achieve system security. . 2.svchost viewersvchost viewer is a green software that can specifically view the services run by svchost.exe. It can be used after extracting it to any directory. After running the svchost viewer for the first time, you will be prompted to get the svchost.exe information. Click the "yes" button, then the software will automatically analyze all the processes currently running in the system, and wait for a moment to display it as a list. The information of svchost.exe in the process is shown in Figure 2 (SV01.jpg). Click on the list on the left to display a detailed description of the service in the right window, and the service status of the service will be prompted. If svchost.exe is not a system important process, it will see the √ flag after the service can be stopped option below, which means that the svchost.exe process can be closed, saving system resources. The services pointed to by the useless svchost.exe process can also be closed. If you suspect a process or do not know the function of the process, you can use the process manager to view the PID number of the process, then find the corresponding PID value in the svchost viewer, open the corresponding sub-item, you can view the process in the right window The details are gone. This content may include read and write data size, total number of threads, and so on. Also note that the normal svchost.exe process should be in the windows\\system32 folder, in other directories, it is likely to be infected with a virus or Trojan. If you have confirmed that a process has a virus, you can force it to be removed by the ntsd command. In the command line window, enter the ntsd -cq -p PID command to forcefully delete it. Because the ntsd command is powerful, you can delete all processes except system, SMSS, and CSRSS.exe. Therefore, There will be problems with the process being unable to delete. In short, the above several small softwares have their own advantages, the former focuses on the overall security, the latter focuses on the detection of specific processes, the combination of the two and effective use, can become a computer-safe hip-hop.