Userful Command Line to Find Out the BAD Processes/Services

By admin, December 28, 2012 12:30

It’s a very common scenario that a server/PC maintained by careless keeper got hacked, which often leads to high CPU usage due to Trojan process running in background.

The followings two are the most useful tools to quickly determine which are the bad nuts.

netstat -nop tcp

- This is very useful to find out if a Trojan service has opened an incoming port, often the status shows “ESTABLISHED”

- netstat can be also used to find out the DDOS IP as those status often ends with “LAST_ACK”

- From the output PID, then you can determine which process from the task manager, but what if it’s a svhost.exe? Problem is you still can’t tell exactly which service as there are several svhost.exe running most of the time, so keep reading.

tasklist /svc |find “Process_ID”

Bingo! This cmd does exactly the trick to find out which is the bad nuts, Process_ID or PID is the one you got in netstat.

Is that so simple? I am afraid not, I’ve seen recently Trojan/DDOS tools have becoming more sophisticated and difficult to catch as they embedded themselves as web scripts utilizing UDP ports as the protocol, either acts as a bot waiting to be activated via URL strings and then send UDP DDOS to the target IP (ie attack others) or exhausts the entire server CPU by issuing UDP commands to fill up Events Logger (ie, attacked the server itself).

What you will find is w3wp.exe (or IIS Service) is using a lot of CPU as well as System (which is the disk activity) being very busy, so you got to use other methods to track down those bad scripts.

Finally, a single svchost.exe can contain many individual services, so the only way to find out which service is responsible is to configure them to run in its separate svchost.

For example, lets start with wuauserv (Windows Update Service) which is often the cause of high CPU, open command prompt and run the following commands:

net stop wuauserv

sc config wuauserv type= own

net start wuauserv

This will isolate wuauserv in its own svchost and then you can check the effect on CPU and identify the PID with tasklist /svc, you are already familiar with the process.

Leave a Reply