In monitoring a Windows 2008 R2 Server we need to monitor using CA Tools. I need to confirm the most common critical processes and their names to monitor. I'm creating a list but want to confirm with TechNet which are most critical to monitor for a healthy Server. Thank you in advance,Rob Jung ADRWeb

Hi, my general recommendation would be to not focus on general OS processes.These are launched and stopped when neede in a lot of cases. So monitoring from this perspective would be difficult to achieve. On top it is hard to define which processes are critical, becuase that also depends on the services deleverd by the server. (IIS is pretty critical on most webservers...) Therefore there are a lot of alternative wys to dterine the health of a server. Most iportant of those is of course the event log. By monitorring the event log, you would not only monitor running critical proceses and services, but also their health! After all a running process does not always functions as desired. Also monitoring running services can help in quickly adressing issues with your server. Another thing that might help in your consideration: there are few really important Windows processes. For most of these processes, Windows does not even allow them to be killed and if they for some reason would stop, that will crash the server intendedly. Monitoring these processes will not help you because the server will reboot to fix the issue before you have found time to act. MCP/MCSA/MCTS/MCITP

I understand what you are saying and you are 100% correct and great points added. Setting up a monitoring system to monitor many windows servers is important. Our Business Requirement is to set up CA Monitoring Tools with all the Windows 2008 R2 Servers and in doing so we need to provide Critical Processes for Windows. The tools need to know what "Critical Process" in the Server to monitor. I know there are a few things that can be over looked; we already have monitoring on the Hardware we just need more the OS at this point. It's a very large environment and we can't allocate the time to monitor each server individually. With that said, is my list accurate showing the most critical Windows 2008 R2 (without AD, not joined to domain, Standard Server). Processes Description Csrss.exe Client Server Runtime Process Dwm.exe Desktop Window Manager Explorer.exe Windows Explorer Inetinfo.exe Internet Information Services IIS 7.0 LogonUI.exe Windows Logon User Interface Host Isass.exe Local Security Authority Process Ism.exe RDP Clip Monitor Smss.exe Windows Session Manager SMSvcHosts.exe SMSvcHost.exe System NT Kernel & System Wininit.exe Windows Start-Up Application Winlogon.exe Windows Logon Application Perfomon.exe Resource and Performance Monitor Svcost.exe(netsvcs) Host Process for Windows Services Svchost.exe (termsvs) Network Activity Please confirm, or supply me a new list if needed, Thanks in advance, Rob Jung ADRWeb

Hi, you should first define what you think is a critical proces: for example in your list, explorer.exe and inetinfo.exe are not really critical fo the OS to run. Even more, explorer.exe is a user-proces that only runs for a logged on user (which might be critical if is a terminal server) and that is not needed even when a user is logged on (you can try: logon, open task manger and kill explorer.exe). It highly depends on the delivered service what proceses are critical. An angle of attack might be to install the server(s) with their critical services and then list the processes remotely (without logging on!) using a tool like pslist.exe http://technet.microsoft.com/en-us/sysinternals/bb896682. You might focus on processes launched by the system account, the network service account, the local service account or any configured service account on the server I've added some comments on your list below: Csrss.exeClient Server Runtime Process indeed critical Dwm.exeDesktop Window Manager only needed when GUI is a requirement, runs as the logged on user Explorer.exeWindows Explorer only needed when GUI is a requirement, runs as the logged on user Inetinfo.exeInternet Information Services IIS 7.0 only needed for webservers with IIS LogonUI.exeWindows Logon User Interface Host as far as I know, only used for RDP sessions Isass.exeLocal Security Authority Process critical Ism.exe (RDP Clip Monitor) Local Session Manager critical Smss.exeWindows Session Manager critical SMSvcHosts.exeSMSvcHost.exe Net.TCP Port Sharing Service, as far as I know related to UAC SystemNT Kernel & System yes indeed pretty critical ;) Wininit.exeWindows Start-Up Application critical Winlogon.exeWindows Logon Application critical to maintain user sessions Perfomon.exeResource and Performance Monitor runs only if perfomance monitoring is on, not critical Svcost.exe(netsvcs)Host Process for Windows Services most instances are critical indeed also consider: spoolsv.exe the print spooler for printservers wmiprvse.exe the WMI provider: needed for remote managemnt and tooling MCP/MCSA/MCTS/MCITP

these are the essential services for windows System Idle Process explorer.exe taskmgr.exe spoolsv.exe lsass.exe csrss.exe smss.exe winlogon.exe svchost.exe – (There will be a few of these) services.exe but this is depend on the services which are running on the server Darshana Jayathilake