System services, self-starting programs, and processes are the three major elements of the system. When optimizing the system or checking the safety, we often have to monitor the three major parts of the system. Although there are already a lot of professional software that can manage three major pieces, for Windows XP users, you can manage them by using the components and commands of the system itself.
Using the NET START command to monitor the service, it is easy to know. Many friends optimize the system by manually turning off unnecessary services. However, due to the unfamiliarity of the services being shut down, there were some inexplicable failures after manually optimizing the system. For example, after a friend's computer performs system optimization, it is found that the Nokia mobile browsing service that was originally used in the system cannot be used. How do you know which services you should turn off? Now you can quickly discover the changed services with the NET START command. This command can find out the services that are currently open on the system and support redirecting output information to files.
1. Before performing system optimization (or the system is normal), start the command prompt and type "net start >d:services.txt". In this way, the service opened by the current system can be output to d:services.txt, and we can use this as a reference for the normal state of the system service.
2. If the system service is adjusted and fails, as above, execute "net start >d:services1.txt" again to output the optimized service status.
3. Continue to type "fc d:services.txt d:services1.txt" at the command prompt. Use the FC command to compare two files. We quickly learned that before and after optimization, a service called "ServiceLayer" changed (Figure 1).
4. Now click "Start → Run" and enter "services.msc" to open the system service management window. Follow the prompts to set the ServiceLayer service to "Automatic" and start the service to resolve the failure.
Tip: In addition to the NET START command, we can also use sc query (list current service details), sc query state= all (list all services, including hardware driver services), similar The services described above are monitored in more detail.
With the WMIC command, it is known from the startup program that the self-starting program is automatically loaded with the system startup, and many viruses and Trojans are in this way. Running in the system. All self-starting programs can be easily listed with the help of the WMIC commands that come with the system.
1. Start a command prompt and type wmic to install. You can use WMIC scripts at the command prompt later. To ensure that the system is non-toxic or normal, start the command prompt and type "wmic startup list brief >d:start.txt" to output all self-starting items of the system to d:start.txt.
2. Same as above, now if you suspect that the system has added an unknown self-starting item, enter "wmic startup list brief >d:start1.txt" again, and then use the FC command to compare, you can quickly Found a new startup item. With the WMIC command, the process information can be seen at a glance. The WMIC command can also view the details of the currently started process. For example, the author found a new rundll32.exe startup project through FC comparison, but after checking rundll32.exe is a normal system file. Its solid wood horse is run by calling dll file with rundll32.exe.
Enter WMIC at the command prompt, type "process" at the WMIC prompt wmic:rootcli>, the current details of all the processes are clear at a glance, you can see that rundll32.exe is called c:windowshgz. Dll trojan file (Figure 2).
Tip: When you suspect yourself, we often use the task manager to view the current process. However, Task Manager cannot view process paths and parameters. The current process details can be obtained by using the WMIC process command. So we can use the process command to view and record the boot process when the system is normal. Once an exception is found, the FC can be used to quickly find new processes, and the exceptions can be removed based on the path provided by the process. Tr