Home Blogs Forums Photos

Exchange 2003 2007 

Exchange Articles, News and Discussions
Welcome to Exchange 2003 2007  Sign in | Join | Help
in Search

Exchange 2003 2007  » Exchange General » Backup/Restore & Disaster Reco... » Re: Exchange Startup files

Exchange Startup files

Last post 06-12-2006, 10:05 AM by Ben Hoffman. 1 replies.
Sort Posts: Previous Next

  •  06-09-2006, 3:54 AM 134

    Exchange Startup files

    Reply Quote
    I am in the process of identifying a potential hack on an exchange box for a forensic case we are working on.  I am looking for some additoinal information on which files and services are initialized on a standard Exchange server. 

    All help will be greatly appreciated. 

    Cheers 
    Lou

  •  06-12-2006, 10:05 AM 135 in reply to 134

    Star [*] Re: Exchange Startup files

    Reply Quote

    Hi Lou,

    What is the configuration of your Exchange server/s, are you running in a FE/BE setup, are you running RPC/HTTPS, are you running in a cluster?
    Anyway here is a dump of all of the processes that are running on one of my test boxes, My test box is running Exchange 2003 SP2 with the latest updates. Additionally it is non clustered and not running NLB. 

    Hope this helps!

    Process Version Path Description
    System Idle Process   
     Interrupts   Hardware Interrupts
     DPCs   Deferred Procedure Calls
     System   
      smss.exe             5.02.3790.1830          C:\WINDOWS\system32\smss.exe                    Windows NT Session Manager
       csrss.exe            5.02.3790.0000          C:\WINDOWS\system32\csrss.exe                     Client Server Runtime Process
       winlogon.exe      5.02.3790.1830          C:\WINDOWS\system32\winlogon.exe              Windows NT Logon Application
        services.exe      5.02.3790.1830          C:\WINDOWS\system32\services.exe                Services and Controller app
         svchost.exe      5.02.3790.1830           C:\WINDOWS\system32\svchost.exe                 Generic Host Process for Win32 Services
          wmiprvse.exe  5.02.3790.1830           C:\WINDOWS\system32\wbem\wmiprvse.exe WMI
          wmiprvse.exe  5.02.3790.1830           C:\WINDOWS\system32\wbem\wmiprvse.exe WMI
         svchost.exe      5.02.3790.1830            C:\WINDOWS\system32\svchost.exe                 Generic Host Process for Win32 Services
         svchost.exe      5.02.3790.1830            C:\WINDOWS\system32\svchost.exe                 Generic Host Process for Win32 Services
         svchost.exe      5.02.3790.1830            C:\WINDOWS\system32\svchost.exe                 Generic Host Process for Win32 Services
         svchost.exe      5.02.3790.1830            C:\WINDOWS\system32\svchost.exe                  Generic Host Process for Win32 Services
          wuauclt.exe     5.08.0000.2469            C:\WINDOWS\system32\wuauclt.exe                   Automatic Updates
         spoolsv.exe      5.02.3790.1830            C:\WINDOWS\system32\spoolsv.exe                  Spooler SubSystem App
         msdtc.exe        2001.12.4720.1830      C:\WINDOWS\system32\msdtc.exe MS              DTCconsole program
         svchost.exe     5.02.3790.1830             C:\WINDOWS\system32\svchost.exe                  Generic Host Process for Win32 Services
         inetinfo.exe      6.00.3790.1830             C:\WINDOWS\system32\inetsrv\inetinfo.exe      Internet Information Services
         svchost.exe      5.02.3790.1830             C:\WINDOWS\system32\svchost.exe                  Generic Host Process for Win32 Services
         mssearch.exe  9.107.8320.0001          C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe Microsoft PKM Search Service
         exmgmt.exe     6.05.6944.0000             C:\Program Files\Exchsrvr\bin\exmgmt.exe        Microsoft Exchange WMI Provider
         svchost.exe      5.02.3790.1830             C:\WINDOWS\system32\svchost.exe                  Generic Host Process for Win32 Services
         svchost.exe      5.02.3790.1830             C:\WINDOWS\system32\svchost.exe                  Generic Host Process for Win32 Services
         mad.exe           6.05.6944.0000              C:\Program Files\Exchsrvr\bin\mad.exe              Microsoft Exchange Server - System Attendant
         store.exe          6.05.6944.0003              C:\Program Files\Exchsrvr\bin\store.exe             Microsoft MDB Store
         emsmta.exe    6.05.6944.0000              C:\Program Files\Exchsrvr\bin\emsmta.exe       Microsoft Exchange MTA
        lsass.exe          5.02.3790.0000              C:\WINDOWS\system32\lsass.exe                      LSA Shell
    explorer.exe          6.00.3790.1830              C:\WINDOWS\explorer.exe                                    Windows Explorer
      ctfmon.exe          5.02.3790.1830               C:\WINDOWS\system32\ctfmon.exe                   CTF Loader
     mmc.exe              5.02.3790.1830               C:\WINDOWS\system32\mmc.exe                      Microsoft Management Console
     cmd.exe               5.02.3790.1830               C:\WINDOWS\system32\cmd.exe                       Windows Command Processor

    Regards

     

    Ben Hoffman
    Microsoft MVP - Windows Server System Exchange
View as RSS news feed in XML
ExchangeIS Privacy Policy
Copyright 2005-2008 Exchange 2003 Exchange 2007 Information Store
Powered by Community Server (Commercial Edition), by Telligent Systems