哪个smss和csrss是真的?
[smss.exe]
PID = 0x2bc
CommandLine =
smss.exe
0x48580000
C:\WINDOWS\system32\smss.exe
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Microsoft Corporation
Windows NT Session Manager
2004-08-04 08:52:38
ntdll.dll
0x7c920000
C:\WINDOWS\system32\ntdll.dll
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Microsoft Corporation
NT Layer DLL
2004-08-04 08:52:02
[csrss.exe]
PID = 0x2f8
CommandLine = C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
csrss.exe
0x4a680000
c:\windows\system32\csrss.exe
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Microsoft Corporation
Client Server Runtime Process
2004-08-04 08:52:30
[services.exe]
PID = 0x2fc
CommandLine = C:\WINDOWS\system32\winevt\services.exe
services.exe
0x400000
C:\WINDOWS\system32\winevt\services.exe
2008-06-08 08:09:52
[csrss.exe]
PID = 0x284
CommandLine = C:\WINDOWS\system32\winevt\csrss.exe 221.238.114.214
csrss.exe
0x400000
C:\WINDOWS\system32\winevt\csrss.exe
2008-06-08 08:10:32
[smss.exe]
PID = 0x578
CommandLine = "C:\WINDOWS\system32\winevt\smss.exe"
smss.exe
0x400000
C:\WINDOWS\system32\winevt\smss.exe
2008-06-03 17:12:30
感觉这里面的可疑:C:\WINDOWS\system32\winevt\
C:\WINDOWS\system32\winevt\smss.exe,还有UDP访问
用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)