Malware Types PDF

Malware is a type of malicious software designed to compromise a system without the user\'s knowledge or approval. It can be very difficult to remove and can cause considerable damage. This lesson covers the topic of malware types. **Malware Types** Common types of malware attacks A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus has the following characteristics: - A replication mechanism which usually infects a file and uses it as a host. When the infected file is distributed, the virus is distributed with it. Viruses typically attach to executable files but can also attach to other types of files (such as.doc and.zip files). Some viruses are distributed using infected email attachments that are subsequently replicated to everyone in your address book. They can also be inadvertently downloaded from a malicious or compromised website. - An objective, which is usually to destroy, compromise, or corrupt data. - An activation mechanism that when triggered causes the virus to replicate. For example, a virus may be activated when an infected file is executed or when it is opened with an associated program. A worm is a self-replicating program. A worm has the following characteristics: - A worm does not require a host file to propagate. - It automatically replicates itself without an activation mechanism. It does not rely on a user to activate it. - Typically, a worm infects one system and then spreads itself to other systems on the network. A Trojan horse is a malware that is disguised as legitimate software. A Trojan horse has the following characteristics: - The malicious software is usually hidden within useful software, typically a game. The legitimate part of a Trojan is called a wrapper. The malware is encapsulated within the wrapper. It infects the system when the wrapper software is run. - A Trojan cannot replicate itself. Instead, it relies on end users to spread it manually. A Trojan may contain malware that turns the infected computer into a zombie (also called a bot). This allows the infected computer to be remotely controlled by a zombie master (sometimes called a bot herder) to conduct malicious attacks on other computers and networks. A rootkit is a stealthy type of malware. A rootkit is installed in the boot sector of the hard disk drive, which causes the rootkit to be loaded by the BIOS before the operating system. After the rootkit is loaded, it loads the legitimate operating system installed on the hard drive. As a result, a rootkit can be very difficult to detect and remove from an infected system. Because it is loaded into RAM before the operating system, a rootkit can hide itself from detection methods used by standard anti-malware software. Specialized rootkit detection software may be required to detect the infection. If a rootkit is detected, you may not be able to remove it from the system without completely re-installing the operating system. Spyware is malware designed to intercept or take partial control of the user\'s interaction with the computer. Spyware has the following characteristics: - It is usually installed when the user visits a malicious website, installs an infected application, or opens an infected email attachment. - Spyware typically collects personal information about the user, such as internet surfing habits, usernames, and passwords. It usually sends the information it captures back to an attacker, who may use it for personal gain or sell it to others. - Some spyware uses tracking cookies to collect information about a user\'s internet activities. Some spyware may interfere with the user\'s ability to control the computer. For example, it may install unwanted software, change computer settings, or redirect web browser activity. Adware monitors actions to identify personal preferences. Then it sends pop-ups or other types of advertisements that align with those preferences. Adware has the following characteristics: - It is usually passive in nature. - It invades the user\'s privacy without their permission. - Spyware may be installed when a user visits a malicious website, installs an infected application, or opens an infected email attachment. Typically, spyware is less destructive than other types of malware. It is typically more annoying than harmful. Grayware is software that might offer a legitimate service but that also includes features that you are not aware of or features that could be used for malicious purposes. - Grayware is often installed with the user\'s permission, but without the user fully understanding what it does. Sometimes permission may be implied, and the user must opt-out to avoid having the software installed. - Some grayware installs automatically when another program is installed. Features included with grayware might be identified in the end user license agreement (EULA). However, the undesirable features may be undocumented or even obscured. Ransomware is a form of malware that denies access to an infected computer system until the user pays a ransom. A common form of ransomware encrypts the hard disk on the user\'s system, preventing access to data. The attacker demands a ransom in return for providing the decryption key. Unfortunately, the attacker frequently does not unencrypt the hard disk even after the user complies with ransom demands. Scareware is a scam that fools users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they do not actually have. Crimeware is designed to facilitate identity theft by gaining access to a user\'s online financial accounts, such as banks or online retailers. Crimeware can: - Use keystroke loggers, which capture keystrokes, mouse operations, or screenshots and transmits those actions back to the attacker to obtain passwords. - Redirects users to fake sites designed to steal private user data. - Steal cached passwords. Crimeware typically conducts transactions in the background after login. Spam is unwanted and unsolicited email sent in bulk to multiple recipients. Spam: - May be benign emails trying to sell products. - May be malicious emails containing phishing scams or malware-infected attachments. - Wastes bandwidth and consumes system resources. Fileless malware is a type of virus that resides only in the RAM of the computer. Fileless malware: - Never writes directly on the hard drive. - Is hard for anti-malware to detect because there are no files stored. - Can exploit vulnerabilities in software and native applications on a device. - Can only be detected by analyzing the code in RAM that\'s currently running. - Is eliminated through rebooting the system. **Malware Protection** Malware is a type of software designed to take over or damage a computer without the user\'s knowledge or approval. You should protect all systems with malware protection software to help prevent infections and remediate systems if an infection occurs. Be aware of the following when protecting against malware: - Most vendors provide products that protect against a wide range of malware. Malware types include viruses, spyware, ransomware, adware, and spam. - You can install anti-malware software on an individual host system or on a network server. This software scans attachments and files before they reach the end computer. - Most anti-malware software that protect a single host use a signature-based scanning system. - Signature files (also called definition files) identify specific known threats. During a system scan, the anti-malware engine runs and compares files on your computer against the signature files. - Anti-malware software that uses signatures can only detect threats that have been identified by an associated signature file. Malicious software that does not have a matching signature file will not be detected. The system is not protected against these files. - It is important to keep the signature files up to date. If possible, download new signature files daily. Most anti-malware software automatically checks for updates on a scheduled basis. It is good practice to allow automatic updates for definition files. - Keep the scanning-engine software updated to add new features and to fix bugs in the scanning software. - Scan all files before copying them to your computer or running them. - In addition to using scanning software, keep your operating system and browser up to date. Make sure to apply security-related updates as they are released. - Implement software policies that prevent downloading software from the internet. - In highly secured areas, remove removable drives (such as recordable optical drives and USB drives) to prevent unauthorized software from entering a system. - Show full file extensions on all files. Viruses, worms, and Trojans often make use of double file extensions to change the qualities of files that are normally deemed harmless. For example, adding the extension.txt.exe to a file makes the file look like a text file in an attachment even though it is actually an executable. - From the Settings app, use Windows Security to check the current security status of your computer. The Security and Maintenance window shows if you have an antivirus, automatic updates, and if your firewall running. From the Settings app, select Update & Security \> Windows Security \> Open Windows Security. - Disable scripts when previewing or viewing emails. - Educate users about the dangers of downloading software and the importance of anti-malware protection. Teach users to scan files before running them and keep the definition files up to date. **Malware Detection** If you suspect that your system is infected with malware, keep the following in mind: - Common symptoms of malware on your system include: - The browser homepage or default search page has changed. - Excessive pop-ups or strange messages are displayed. - Firewall alerts about programs trying to access the internet are displayed. - System errors about corrupt or missing files are displayed. - File extension associations have changed to open files with a different program. - Files disappear, are renamed, or are corrupt. - New icons appear on the desktop or taskbar, or new toolbars are displayed in the browser. - The firewall or antivirus software is turned off, or you cannot run antivirus scans. - The system will not boot. - The system runs very slowly. - Unusual applications or services are running. - Some malicious software can hide itself. So there might not be any obvious signs of its presence. Other symptoms of an infection include: - Slow internet access. - Excessive network traffic or traffic during times when no activity should occur. - Excessive CPU or disk activity. - Low system memory. - An unusually high volume of outgoing emails or emails sent during off hours. - Conducting regular system scans can detect and fix many problems. - Most software lets you schedule complete system scans. This is often performed daily or weekly. - If you suspect a problem, initiate a full system scan immediately. - If a scan reports a serious problem, disconnect your computer from the network. This prevents your computer from infecting other computers until the problem is corrected. - Some malicious software warnings (like those seen in pop-ups or received through email) are hoax viruses. A hoax virus instructs you to take an action to protect your system when that action actually causes harm. Two common hoaxes are: - Instructing you to delete a file that is reported as a virus. The file is actually an important system file that will lead to instability or the inability to boot your computer. - Instructing you to download and run a program to see if your system is compromised or to add protection to your system. The file you download is the malicious software. Before taking any actions based on notices or emails, search the internet for a list of virus hoaxes and compare your notice to known hoaxes. **FOR ADVANCED USERS** : Malware can hide itself and change parts of the operating system so it cannot be detected. It may be necessary to utilize an out-of-band solution such as booting Linux on a USB drive and scanning the Windows partitions when the Windows OS is not running. **Malware Remediation** Remediation is the process of correcting any problems that are found. Most antivirus software remediates problems automatically or semi-automatically (for example, you are prompted to identify the action to take). Possible actions in response to problems are: Repair the infection: This may be possible for true viruses that have attached themselves to valid files. During the repair, the virus is removed and the file is placed back in its original state (if possible). Configuration changes made by the infection may also require repair. For example, if the virus changed the default browser homepage or search page, you may need to manually reset them using Internet Options in Control Panel. Quarantine the file: This moves the infected file to a secure folder where it cannot be opened or run normally. You might quarantine an infected file that cannot be repaired to see if another tool or utility might be able to recover the file. Quarantining is also useful when the malware identifies a file as being malware when in reality it is not. Delete the file: You should delete malicious files such as worms, Trojans, spyware, or adware. Additionally, you should periodically review the quarantine folder and delete any files you do not want to recover. A word of caution: if a system file is deleted, it could render your system unstable or prevent Windows from running correctly. In these cases, while unlikely, it may be necessary to reinstall the operating system. A suggested procedure for remediating a system with a malware infection is as follows: 1. Identify the symptoms of the infection. 2. Quarantine the infected system. 3. Disable System Restore in Windows. This prevents the infection from being included in a restore point. 4. Update the anti-malware definitions. 5. Scan for and remove the malware. Some malware cannot be removed because it is running. If possible, stop its process and try to remove it. If you are unable to stop the malware process, try booting into Safe Mode and scanning software to locate and remove the malware. 6. If necessary, schedule future anti-malware scans and configure the system to automatically check for signature file updates. 7. Re-enable System Restore and create a new restore point. 8. Educate the end user to prevent future infections. **sfc.exe** **fixmbr** **Firewall Types** Firewalls provide real-time protection from unauthorized connections. A firewall controls all traffic that goes in and out of a computer\'s network interfaces using a set of rules referred to as an access control list (ACL). Firewalls cannot protect computers from all attacks. However, they do block many attacks and make the system less attractive to hackers. It is like putting a padlock on a door. There are several different types of firewalls that perform similar, but specific, functions. In this lesson, we will cover two: network and host-based. Network firewalls are typically implemented using hardware and are positioned at the network\'s perimeter, within the networking infrastructure Host-based firewalls are implemented using software and reside on individual hosts within the network (user workstations, Windows servers, etc.). **Microsoft Defender Antivirus Firewall** Microsoft Defender Antivirus Firewall is a software- and host-based firewall that protects a single host system. It is designed to help prevent attackers from gaining access to your Windows client computer through the internet or through a network. Windows provides several interfaces that can be used to configure Microsoft Defender Firewall. - Firewall & network protection - Allowed apps - Windows Defender Firewall with Advanced Security **Settings** Firewall & network protection: This is the main interface and starting point for the other two interfaces. From here, you can turn a firewall on or off for a specific profile or network (domain, private, or public profiles/networks). This is the interface from which you can access the Allowed apps and Windows Defender Firewall with Advanced Security. Allowed apps is accessed by selecting Allow an app through firewall. Select Advanced settings to access the Windows Defender Firewall with Advanced Security. Allowed apps: This interface lets you add, change, or remove the apps and ports that are allowed through the firewall. If an app is not listed or has not been enabled (checked), the app or port will be blocked. Windows Defender Firewall with Advanced Security: The Windows Defender Firewall with Advanced Security interface allows more complex rules to be created. For example, you can create rules based on the following: - Protocols - Ports - Addresses - Authentication **Configuring Microsoft Defender Firewall** Microsoft Defender Firewall settings are configured in the Windows Defender Firewall interface that is accessed through the Settings app. When configuring the firewall, you should have familiarity with the following: - Microsoft Defender Firewall is turned on for each network profile by default. - Disabling the firewall may leave the computer vulnerable to attacks. Only disable the firewall if the computer is protected by a different firewall program. - All outbound traffic is allowed by default, as are inbound responses to requests sent from the local system. All inbound traffic initiated from external sources is automatically blocked unless you define an exception that allows that traffic through. - Microsoft Defender Firewall uses the *implicit deny* rule. This means that all inbound traffic is blocked unless a rule is created that explicitly allows it. - When you enable some Windows features, the corresponding network traffic is automatically allowed through the firewall. You can check the Allowed apps and features list to verify that necessary traffic has been allowed. - To change how Windows provides notifications when the firewall blocks a new program, select **Firewall notification settings** from the Firewall & network protection interface. **Predefined Firewall Rules** **Change settings** File and Print Sharing:\ The File and Printer Sharing exception makes files and printers on the local computer available to other users on the network. Network Discovery: The Network Discovery exception enables the computer to see and be seen by other computers on the network. Performance Logs and Alerts: The Performance Logs and Alerts exception allows non-local computers to view and manage Performance Logs and Alerts services in Windows Defender Firewall with Advanced Security. Remote Assistance: The Remote Assistance exception allows users to view and control remote desktops. Remote Desktop: The Remote Desktop exception allows a remote user to log on and access the desktop of a computer. This provides access to all programs and files on the computer. Routing and Remote Access: The Routing and Remote Access exception is a network service that provides the following access: - Dial-up remote access for access servers - Virtual private network (VPN) remote access for access servers - Internet Protocol (IP) router access for connecting subnets of a private network - Network Address Translation (NAT) for connecting a private network to the internet - Dial-up and VPN site-to-site demand-dial router access Windows Management Instrumentation (WMI): The Windows Management Instrumentation (WMI) exception allows administrators to manage local and remote computers. Windows Media Player: The Windows Media Player exception allows users to receive streaming media over an Internet Protocol (IP) network. Windows Media Player Network Sharing Service: The Windows Media Player Network Sharing Service exception allows users to share media on their computer with other network users. Windows Remote Management: The Windows Remote Management exception allows remote management of the computer by the WS-Management Protocol. Additional apps not listed can be included. Click **Allow another app\...** to create exceptions through the firewall. Event Viewer displays system and error messages generated by the operating system and other programs. Each entry is listed as an information, warning, error, or audit success/failure event. This lesson covers the following topics: - Event logs - Event Viewer **Event Logs** Windows event logs contain records of events that happen on the computer. Event logs help you track what happened and troubleshoot problems. The following table describes the default event logs on a Windows system. Application: A list of all application-related events, such as application installations, uninstalls, and errors. Security: A list of all security-related events, such as security modifications and user login events. An example of user login events is enabling logon auditing to record logon attempts. Setup: Events related to an application setup. System: A list of all system-related events, such as system modifications, malfunctions, and errors. Forwarded Events: Events gathered from remote systems through event subscriptions. Event subscriptions collect data on events from multiple remote machines. **Event Viewer** The Event Viewer organizes event logs from system apps into one location. You can use these logs for pinpointing and troubleshooting hardware issues that you are trying to fix. You can use Event Viewer to view events on remote computers; however, the events remain in the log files on the remote computer. They are not transferred to the computer that you are viewing the events from in Event Viewer. You can access the Event Viewer by: - Typing **event viewer** into the Taskbar\'s search menu. - Typing **eventvwr** into the Run command. - Typing **eventvwr** into the Command Prompt. The following table describes various features available within Event Viewer when managing event logs. Filter events: You can filter events to show events of only a specific type, severity, or some other characteristic. For example, you can filter by time, event level, event ID, user, or computer. When filtering events, be aware of the following: - The filter applies only to the selected log. - To remove a filter, right-click the log and select **Clear Filter**. - The filter is removed when you close Event Viewer. - If you save a filtered log, only the filtered events are saved. To save the entire log, clear the filter before saving. Custom views: You can create custom views to apply filter criteria to one or more event logs and have the filter saved between Event Viewer sessions. Using a custom view ensures the same filtered view is enabled each time you use Event Viewer. Be aware of the following facts about custom views: - Event Viewer has several predefined custom views. - Administrative Events - Active Directory Domain Services - File Server - Print Services - When you create the custom view, the filter criteria applied to the selected log is included in the custom view criteria. - To remove old messages from the custom view without deleting the messages, edit the properties to change the logged parameters. - You cannot clear the events in a custom view. Instead, clear the events in the original log file. - You can export a custom view and import it on another system. The custom view criteria is exported and imported, not the events showing in the view. - To save the events showing in a custom view, use the **Save Events in Custom View As** option. Attach a task: Attach a task to an event or a log to make the system take action when an event is logged. - Tasks attached to a log or a custom view execute the action when any event is added to the log or the custom view. - Tasks attached to an event execute the action whenever an event with the specified ID, source, and log occurs. - Tasks include the following: - Run a program - Send an email - Display a message The Send an email and Display a message tasks are displayed in Windows 8. *x* and later, but do not work. Event log online help: Each event has an **Event Log Online Help** link. By default, clicking this link sends information about the event (e.g., the Event ID and source) to Microsoft. The default browser is then opened with additional information (if any) from the Microsoft website. You can customize the behavior of this link as follows: - You can associate a custom URL with a specific event ID. - You can send the information to a server other than the Microsoft server. - You can disable the link and prevent data from being sent over the internet. Clear Log: If you right-click any of the logs, you\'ll see a **Clear Log** option. You can use this to free up space or to limit the view to more recent events. Because logs help to troubleshoot problems and to determine a device\'s overall health, you\'ll want to keep event logs as long as possible.\ \ If you decide to clear the logs, you can archive the log history to an external file. This can be done using the **Save and Clear** option. You can use the Windows Performance Monitor to examine your computer\'s performance in real time and collect log data for later analysis. This lesson covers the following topics: - Windows Performance Monitor tools **Windows Performance Monitor Tools** The following are useful tools associated with Windows Performance Monitor: Monitoring tools: Performance Monitor displays real-time visual graphs of a computer\'s overall performance. - Track performance by using objects and counters. - An object is a statistic group which often corresponds to a specific type of hardware device or software process. - A counter is a specific statistic you can monitor. For example, for the PhysicalDisk object, you can monitor counters such as %Disk Read Time or %Idle Time. - Add or remove counters to customize the statistics displayed. - Performance Monitor displays data in the following forms: - Line graph - Histogram - Report (text) - Performance Monitor by itself does not save any data. To save statistics over time, use a Data Collector Set (DCS). **perfmon.exe** - Run **perfmon /sys** to open Performance Monitor in standalone mode. When in standalone mode, you can compare multiple logs by overlaying each log onto a base log. This lets you compare statistics between them. Use the **compare** option accomplish this. - Run **perfmon /report** to quickly generate and display a system diagnostic report. Data Collector Set (DCS): A Data Collector Set (DCS) captures system performance statistics over a period of time. A DCS includes one or more data collectors that identify the specific objects and counters you want to track. When creating a counter, you can specify whether you want to monitor the local computer or a remote computer. Monitoring a remote computer provides a more accurate view of performance since it doesn\'t include the load of running Performance Monitor. You can define your own custom collector sets by using templates or creating the sets manually. Windows comes with the following default collector sets: - The System Performance set collects information about the CPU, hard disk drive, system kernel, and network performance. By default, it collects information for 10 minutes. Use this set for a computer that is running slowly or having intermittent performance problems. (Since the System Performance collector set has fewer counters, use it instead of the System Diagnostics collector set whenever possible.) - The System Diagnostics set collects detailed system information in addition to the data gathered from the System Performance set. By default, it collects information for 1 minute. Use this set to troubleshoot reliability problems related to defective hardware or driver failures. There are four types of data collectors: - Performance counters save system statistics to a Performance Log. Performance Logs can be read by Performance Monitor and the Reports tool. Logs can be saved to different log formats. - Use text files (comma or tab delimited) to import data into a spreadsheet program. - Use binary files to save data that is intermittent. Select a circular file to save all data into a single file. This overwrites the contents when the log is full. - Use SQL database files to import statistics into an SQL server in order to perform data comparisons on data archives. - Event trace data collectors captures events logged by software processes. - Configurations monitor the state of Registry keys and changes to them. - Performance counter alerts configure alert triggers. When you configure an alert, you specify the following: - The counter you want to watch. - A threshold limit (a counter value that triggers an alert when exceeded). - An action to take when the threshold value is reached. When configuring Data Collector Sets, keep the following in mind: - The schedule specifies how often to start a collection task. For example, you can configure the collector to start every day at a specific hour. - To collect data for a specified amount of time, configure the overall duration on the Stop Condition tab of the collector set. Once the collectors in the set start, they automatically stop when the duration period is reached. - By default, the stop duration of a Data Collector Set is 1 minute. To make the DCS run continuously, set the Overall Duration to 0 seconds or deselect Overall Duration. Do not set it to run continuously if you are only interested in a specific time of day. - To control how frequently a counter is sampled, configure the sample interval on the Performance Counters tab of the DCS. For example, you can configure the collector to get information every 15 minutes. - Control how frequently new log files are created using the limit duration setting for the Stop Condition. For example, configuring a limit duration of 5 minutes creates a new log file every 5 minutes. - Use the When a limit is reached, restart the data collector set option to break the log file into multiple files. When the duration or maximum size is reached, a new log file is created. Reports: Use the Reports tool to view the collected data or to create new reports from DCS counters. Keep the following in mind about Performance Monitor reports: - If a collector set has not been defined and run, no reports will be available. - Membership in the local Performance Log Users or Administrators group (or equivalent) is required to view the reports. The Reports tool displays a System Diagnostics report (also known as a System Health report) that includes the status of hardware resources, system response times, and processes on the local computer. The report includes suggestions for ways to maximize performance and streamline system operation. Membership in the local Administrators group (or equivalent) is required to generate a system diagnostic report. To generate a report: 1. Start the System Diagnostics Data Collector Set in Performance Monitor. 2. In the *Advanced Tools* of the **Performance Information and Tools** console, select **Generate a system health report**. Logman: Use the logman command with the following options to create and manage logs: - create counter creates a new performance counter data collector. - create trace creates a new event trace data collector. - create config creates a new configuration data collector. - start starts an existing collection and sets the begin time to manual. - stop stops an existing collection and sets the end time to manual. Windows provides resource monitoring tools for troubleshooting problems and gathering real-time information about a computer system. This lesson covers the following topics: - Resource monitoring tools - Task Manager features **Resource Monitoring Tools** Monitoring tools are useful to resolve an issue such as an app that stops running. These tools may also be useful for improving the performance of a poorly running system. The following table describes some of the resource monitoring tools. Task Manager: Task Manager is a Windows utility that displays information about the system\'s use of resources. The utilization statistics provided in Task Manager can help resolve system problems. For example: - If a system is performing poorly, look for a process that is using more CPU resources than it should. - You can use memory utilization statistics when trying to identify a memory leak. When an application does not release memory that it no longer needs, it can consume more and more memory resources until it uses all available memory. Resource Monitor: Resource Monitor displays real-time information about the resource utilization of installed hardware and software. - You can start Resource Monitor from the Performance tab of Task Manager. You can also start it by entering **resmon.exe** at the command line, or by typing Resource Monitor in the Windows search box and selecting the app. - The Overview tab displays basic usage status for these system resources: - CPU - Disk - Network - Memory - The other tabs on the Resource Monitor screen display detailed information for each system resource: CPU, memory, disk, and network. - The first table on each of the Resource Monitor tabs displays active processes. - You can filter information by selecting one or more processes. - The filtered information displays in the section below the table. - The information on the other tabs is also filtered. - You can use Resource Monitor to manage resources. - Management tasks are: - End a process - Start a process - Restart a process - Pause a process - Resume a paused process - Use caution when ending a process in Resource Monitor. Consider: - If a process or service has an exit or force quit function, try that before ending the processing in Resource Monitor. - Data may be lost when a process associated with an application is ended. - Ending a system process may cause system instability. - A process that appears to be unresponsive may be waiting for another process, service, or system resource. - Resource Monitor displays the process Wait Chain to determine if another process is preventing the process from working properly. To view the Wait Chain: - Right-click the process and select **Analyze Wait Chain**. - View the Wait Chains to identify if a process is working properly. If the process is waiting on another process, a tree of processes is displayed, ordered by the process dependency. - When you filter a process, only the statistics for that process show on all tabs. - A process that is not responding appears as a red entry in the CPU table. To use Resource Monitor, the user must have administrative privileges. Process Explorer: Process Explorer is part of Sysinternals and must be downloaded from Microsoft\'s site. Process Explorer: Identifies the program (process) that has a particular file or directory open. Provides information about the handles and DLLs opened in or loaded to a specific process. This function helps identify the application or service responsible for activity on the hard drive, including files and folders accessed. Searches for data, such as the process or application that has a specific file open or a certain DLL loaded. Displays statistics in graphical form for system CPU usage history, committed virtual memory usage, and I/O throughput. You can click a graph to open the System Information screen and display more detailed graphs. **Task Manager Features** Task Manager: - Provides a snapshot of what is happening with your system at any given time. - Does not require any special configurations. - Is easily accessible. - Allows you to stop an unresponsive application or process. Task Manager can be accessed by: - Pressing **Ctrl** + **Alt** + **Del** and clicking Task Manager. - Right-clicking the Windows Taskbar and clicking Task Manager. - Pressing **Ctrl** + **Shift** + **Esc**. - Typing **task manager** into the Windows Search box. Today\'s Task Manager is significantly different from Task Manager in versions of Windows preceding Windows 10. The following table describes the current Task Manager. The Processes tab displays currently running apps and background processes. Select the arrow to the left of a listed background process to expand the process tree and view a list of applications and/or services that are dependent on the process. To the right of each application and process, statistics for CPU utilization, memory utilization, disk I/O, and network utilization are listed. You can stop an unresponsive application or process from this tab. Select the application or process, and then select **End Task**. The Performance tab provides an overall view of how well the system is performing. This tab graphs CPU, memory, disk, and network utilization. Select the small graph on the left to display a larger graph for a specific resource. When working with the Performance tab, keep the following in mind: - If the computer has more than one physical CPU or the CPUs have multiple cores, you can display a graph of each CPU by right-clicking the CPU graph and selecting **Change graph to \\ Logical processors**. - If the CPU Usage History graph shows a percentage above 80%, a program might not be responding or is over-utilizing CPU resources. Momentary spikes, however, do not indicate a problem. - If the Memory graph is consistently high, it could be caused by having too many applications open at the same time, by not having enough memory installed in the system, or by a memory leak. Use information on the Details tab to identify the application or applications using high amounts of memory. The Performance tab displays snapshots of CPU usage. To drill-down and gather more detailed and granular CPU performance data, use Performance Monitor. The App History tab provides the following historical measurements for running Windows Store apps that use the Metro interface. - Total CPU usage - Network usage - Metered network usage - Data used by live tile updates The Startup tab displays a list of applications that are configured to run automatically at system startup. To decrease system boot time, enable only those applications that you use on a regular basis. The Users tab displays each user currently logged into the computer. You can disconnect a user if necessary. The Details tab displays information for each process running on the system: - Process name - The process ID (PID) - Status - The User who started the process - CPU utilization - Memory utilization - A description of the process Use the Details tab to: - Kill (end) a process or process tree (all processes and associated sub-processes). - Configure the process priority. The priority controls how the system can delay or switch between processes. Priority settings are: - Real Time - High - Above Normal - Normal - Below Normal - Low Setting a process to Real Time dramatically decreases the performance of other processes on the system. Try using High or Above Normal to assign more CPU time for a process. - By default, the system typically gives a higher priority to a process that has active user input or interaction. - Processes can continue to run in the background when the user is not actively interacting with the application. Virus scanners, video compression, and backups are examples of processes that run in the background while the user works in a different application. - The processor affinity identifies the processors or processor cores the process can use. For example, you can configure a process to run on only one of the cores in a quad-core CPU. You can\'t change the affinity of some Windows processes. The Services tab shows a list of services that have run since the computer was started. Use the Services tab to: - Start or stop a service. - View the process (in the Processes tab) associated with the service. The Reliability Monitor and Action Center are tools available to help you proactively monitor the health of a Windows system and avert performance and reliability problems. This lesson covers the following topics: - Reliability Monitor - Action Center **Reliability Monitor** Reliability Monitor tracks a computer\'s stability by maintaining historical data relating to the operating system\'s stability. The historical information gathered by Reliability Monitor can be useful for troubleshooting intermittent problems. When using Reliability Monitor, be aware that: - The Reliability Monitor is included with the Windows Reliability and Performance Monitor snap-in for the Microsoft Management Console (MMC). - Reliability Monitor maintains a timeline of system changes. - Information gathered by Reliability Monitor can be used to achieve optimum system reliability. - Data is stored daily and displayed in a stability index that provides a rating between 1 and 10. The stability index is based on: - Software installs/uninstalls - Application and Windows failures - Hardware and driver failures - Memory failures - Miscellaneous failures - Operating system update installations - Operating system driver installations - The System Stability chart provides an overview of system stability for the past year in daily increments. On the System Stability chart: - Information icons indicate an issue of less concern, such as the successful update of Windows Defender definitions. - Warning icons indicate an issue of more concern, such as an unsuccessful reconfiguration attempt for an application. - Error icons indicate a much more serious issue, such as a process that stopped working. - The stability index value is calculated using system data from the last 28 days. The stability index does not include the time that the computer is turned off, sleeping, or hibernating in its calculations. - A dotted line graph indicates that there is not enough data to calculate a stability index. - Recent failures are weighted more heavily than past failures. An improvement over time is reflected in an increasing stability index value over a specified period. Methods for opening Reliability Monitor: - From the Windows taskbar, type **Reliability Monitor**. Then select **View reliability history**. - Run **perfmon/rel** from Command Prompt. **Action Center** The Windows Action Center is a central location for managing system messages and resolving issues within your system. The Action Center can be accessed by: - Selecting the **notifications icon** found in the Windows taskbar (next to the clock.) - Pressing the **Windows logo key** + **A** - Swiping in from the right edge of a touchscreen. he Action Center: - Queues messages that require your attention. - Checks various security and maintenance-related items that influence the computer\'s overall performance. - Consolidates messages and status updates for the following security-related tools into one location: - Windows Update - Internet security settings - Windows Firewall - Microsoft account - Windows activation - Malware protection - User Account Control - SmartScreen - Consolidates messages and status updates for the following tools into one location: - Windows Backup - Automatic Maintenance - Drive status - Device software - Startup apps - Windows Troubleshooting - HomeGroup - File History - Storage Spaces - Work Folders - Notifies when the status of a monitored item changes. The color of the notification reflects the severity of the item. - Provides recommended actions to resolve issues detected. - Relies on the Security Center service being active and running. Other networking services, such as Network Access Protection, also rely on the Security Center service being active. The items shown in the Action Center can be managed from the Settings app by selecting **System** \> **Notifications & actions**. **System Information App** When troubleshooting computer problems, you may need to view detailed information about the hardware and software that are installed on the system. This can be done using the Windows System Information app. This tool gathers information about your computer and displays a comprehensive view of your hardware, system components, and software environment. You can use this information to diagnose computer issues. To run this app, type **System Information** (or **msinfo32.exe**) in the taskbar\'s search field and click **Run as administrator**. Running System Information without administrator privileges may show some drivers as being stopped when they are not. This is because the cache for this information requires administrator privileges to update. The System Information app does not provide hardware information when run in Safe Mode. When it is run in Safe Mode, System Information is limited to displaying information about system components and the software environment. If you have an idea of what you are looking for, you can use the **Find what** search field near the bottom. The information collected by System Information can be printed and exported. It can be useful to record detailed information about the system to assist in troubleshooting. When you are troubleshooting an issue, a company may request this information to help it better understand the current system state. Complete the following steps to export System Information: 1. From the System Information menu bar, select **File** \> **Export**. 2. Specify the path and name. Click **Save** after you enter these parameters. **System Configuration App** Use the System Configuration app (or **msconfig.exe**) to troubleshoot technical issues and to optimize the startup process. Using the System Configuration utility requires that the system be completely booted. If a normal boot is not possible, try booting into Safe Mode and then running the **msconfig.exe** command. Using the System Configuration utility, you can: - Configure startup preferences. - View and customize Windows setup components. - Customize the boot configuration. This includes the default operating system and Safe Mode boot selection. - Disable or enable services at system boot. - Enable and disable startup utilities and programs. - Access available tools to view the file and file path for the application that runs each tool. Be aware of the following regarding System Configuration: - The System Configuration utility does not alter the current state of services immediately. It marks a service as being disabled and stopped. The changes are applied after the system reboots. - To stop and disable a service without rebooting, use the Services console or Task Manager. - For Windows 8.x and later, you must use the Startup section of Task Manager to manage startup applications. **Services App** Services are special applications that run on Windows in their own Windows session. These services run in the background, and can be automatically started when the computer boots and paused or restarted. Services do not display a user interface. Many of the Windows Services are critical to operations, so you do not need to access them often. However, if you do need to, you can do so using the Services app or Command Prompt. There are several ways to access the Services app. To open the app: - Type **services** or **services.msc** in the taskbar\'s search field. - Type **services.msc** in the Run command box. - Open **Control Panel** ; then select **System and Security** \> **Windows Tools** \> **Services**. - Right-click the **Start menu** icon \> **Computer Management** \> **Services and Applications** \> **Services**. Using the Services app lets you: - View a list of installed services along with the service name, description, and configuration. - Start, stop, pause, or restart services. - Specify service parameters when applicable. - Change the startup type. - Change the user account context in which the service operates. - Configure recovery actions that should be taken if a service fails. - Inspect service dependencies. You can discover the services or device drivers that depend on a given service or the services or device drivers that a given service depends on. - Export the list of services as a text or CSV file. Selecting a service from the Standard view displays a brief description of the servers as shown in the image below. Double-clicking the service lets you manage the services. Windows services can also be managed from Command Prompt. Command Prompt can be opened by typing **command prompt** into the taskbar\'s search field. You can use the following commands to manage services from Command Prompt. net startservice Starts a service net pauseservice Pauses a service net stopservice Stops a service net continueservice Continues a service **Task Scheduler App** Task Scheduler is a Windows app you can use to automatically start an application or run a script based on events. Some tasks that are commonly scheduled to run at regular intervals include backups, malware scans, and system updates. Triggers identify conditions that start the task. Triggers include day, time, login, and responses to other system events. You can configure the Task Scheduler to run a program, send an email, or show a message when the trigger occurs. Tasks are stored in folders in the Task Scheduler Library. To view or perform an operation on any individual task, select the task in the Task Scheduler Library and click a command in the Action menu. Using Task Scheduler, you can view the tasks that are scheduled to run and the current status of those tasks. You can end tasks if needed or edit them to function in a different way. Task Scheduler can be opened by typing **Task Scheduler** (or **taskschd.msc**) in the taskbar\'s search field and selecting **Run as administrator**. **Registration Editor** Microsoft Registry Editor (**regedit.exe**) modifies entries in the Windows Registry. The Registry is a database that holds hardware, software, and user configuration settings. - Whenever you change preferences, software, hardware, and user settings, the Registry stores and reflects those settings. - The preferred method of modifying the Registry is to use applications or management tools that write to the Registry itself. For example, many Control Panel applets make changes to Registry settings. - You must directly edit the Registry to make some advanced settings. **Microsoft Management Console** The Microsoft Management Console (MMC) is a built-in console used for organizing and displaying administrative tools that provides easy and consolidated access to the tools you use most to mange the Windows operating system. This console can be customized to fit your administrative needs. There are several ways to open the Microsoft Management Console: - Type **computer management** , **compmgmt.msc** , or **compmgmt** in the taskbar\'s search field. - Press **Windows** + **X** and select **Computer Management**. - Right-click the **Start menu** icon and select **Computer Management**. - Type **compmgmt.msc** or **compmgmt** after pressing **Windows** + **R**. - Open **Control Panel** , select **Windows Tools** , and select **Computer Management**. Through the MMC, you can do several administrative tasks, such as: - Manage software - Manage hardware - Manage the operating system\'s network components

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue