What are the common critical processes of Windows 2008 R2?
In monitoring a Windows 2008 R2 Server we need to monitor using CA Tools. I need to confirm the most common critical processes and their names to monitor. I'm creating a list but want to confirm with TechNet which are most critical to monitor
for a healthy Server.
Thank you in advance,Rob Jung ADRWeb
December 25th, 2011 2:02pm
Hi,
my general recommendation would be to not focus on general OS processes.These are launched and stopped when neede in a lot of cases. So monitoring from this perspective would be difficult to achieve. On top it is hard to define which processes are critical,
becuase that also depends on the services deleverd by the server. (IIS is pretty critical on most webservers...)
Therefore there are a lot of alternative wys to dterine the health of a server. Most iportant of those is of course the event log. By monitorring the event log, you would not only monitor running critical proceses and services, but also their health!
After all a running process does not always functions as desired.
Also monitoring running services can help in quickly adressing issues with your server.
Another thing that might help in your consideration: there are few really important Windows processes. For most of these processes, Windows does not even allow them to be killed and if they for some reason would stop, that will crash the server intendedly.
Monitoring these processes will not help you because the server will reboot to fix the issue before you have found time to act.
MCP/MCSA/MCTS/MCITP
Free Windows Admin Tool Kit Click here and download it now
December 25th, 2011 2:59pm
I understand what you are saying and you are 100% correct and great points added.
Setting up a monitoring system to monitor many windows servers is important. Our Business Requirement is to set up CA Monitoring Tools with all the Windows 2008 R2 Servers and in
doing so we need to provide Critical Processes for Windows. The tools need to know what "Critical Process" in the Server to monitor. I know there are a few things that can be over looked; we already have monitoring on the Hardware we just need more the OS
at this point. It's a very large environment and we can't allocate the time to monitor each server individually. With that said, is my list accurate showing the most critical Windows 2008 R2 (without AD, not joined to domain, Standard Server).
Processes
Description
Csrss.exe
Client Server Runtime Process
Dwm.exe
Desktop Window Manager
Explorer.exe
Windows Explorer
Inetinfo.exe
Internet Information Services IIS 7.0
LogonUI.exe
Windows Logon User Interface Host
Isass.exe
Local Security Authority Process
Ism.exe
RDP Clip Monitor
Smss.exe
Windows Session Manager
SMSvcHosts.exe
SMSvcHost.exe
System
NT Kernel & System
Wininit.exe
Windows Start-Up Application
Winlogon.exe
Windows Logon Application
Perfomon.exe
Resource and Performance Monitor
Svcost.exe(netsvcs)
Host Process for Windows Services
Svchost.exe (termsvs)
Network Activity
Please confirm, or supply me a new list if needed, Thanks in advance,
Rob Jung ADRWeb
December 25th, 2011 3:34pm
Hi,
you should first define what you think is a critical proces: for example in your list, explorer.exe and inetinfo.exe are not really critical fo the OS to run.
Even more, explorer.exe is a user-proces that only runs for a logged on user (which might be critical if is a terminal server) and that is not needed even when a user is logged on (you can try: logon, open task manger and kill explorer.exe). It highly depends
on the delivered service what proceses are critical.
An angle of attack might be to install the server(s) with their critical services and then list the processes remotely (without logging on!) using a tool like pslist.exe
http://technet.microsoft.com/en-us/sysinternals/bb896682. You might focus on processes launched by the system account, the network service account, the local service account or any configured service account on the server
I've added some comments on your list below:
Csrss.exeClient Server Runtime Process indeed critical
Dwm.exeDesktop Window Manager only needed when GUI is a requirement, runs as the logged on user
Explorer.exeWindows Explorer only needed when GUI is a requirement, runs as the logged on user
Inetinfo.exeInternet Information Services IIS 7.0 only needed for webservers with IIS
LogonUI.exeWindows Logon User Interface Host as far as I know, only used for RDP sessions
Isass.exeLocal Security Authority Process critical
Ism.exe (RDP Clip Monitor) Local Session Manager critical
Smss.exeWindows Session Manager critical
SMSvcHosts.exeSMSvcHost.exe Net.TCP Port Sharing Service, as far as I know related to UAC
SystemNT Kernel & System yes indeed pretty critical ;)
Wininit.exeWindows Start-Up Application critical
Winlogon.exeWindows Logon Application critical to maintain user sessions
Perfomon.exeResource and Performance Monitor runs only if perfomance monitoring is on, not critical
Svcost.exe(netsvcs)Host Process for Windows Services most instances are critical indeed
also consider:
spoolsv.exe the print spooler for printservers
wmiprvse.exe the WMI provider: needed for remote managemnt and tooling
MCP/MCSA/MCTS/MCITP
Free Windows Admin Tool Kit Click here and download it now
December 25th, 2011 8:02pm
these are the essential services for windows
System Idle Process explorer.exe taskmgr.exe spoolsv.exe lsass.exe csrss.exe smss.exe winlogon.exe svchost.exe – (There will be a few of these) services.exe
but this is depend on the services which are running on the server
Darshana Jayathilake
December 26th, 2011 12:53am