Do all programs running in a computer show up in the processes tab in Task Manager? [duplicate]

windows virus anti-theft

The reason I am asking this is because I am curious if there can exist a virus in the computer without me ever being able to know it exists. To be more specific, a virus that emits no signs of any sort.


Solution 1:

There is a class of malware that can hide itself completely from the operating system known as a rootkit.

Rootkits are used to hide the evidence of other malware at work and are embedded very deeply in the operating system. Because of their deep embedding they are able to manipulate process lists, filesystem tables and other important structures on-the-fly.

By manipulating filesystem structures in memory they can return false or misleading results for directories, specifically not showing files related to the main malware itself. The files are there, and booting into an uninfected operating system such as a Linux LiveCD will show the files though, as they have to be stored somewhere.

Similarly, rootkits can simply drop certain processes from being reported to programs such as the Task Manager. The operating system core knows about them, as it needs to in order to schedule them, it has just been blocked from letting the outside world know about them.

Solution 2:

All normal programs will appear there, but...

  • without an Administrator account you will only be able to see your own process (Admin accounts can choose to view everybody's processes)
  • rootkits will try to conceal its existence by hiding its process from the list, compromising the task manager (so it doesn't show him), hiding inside another process address space...
  • services will run as threads under a svchost process (in most cases), so there's no easy pointint at which service is running under a given svchost instance.

There are some programs designed for detecting rootkits. They do so by checking for instance the list of threads programmed for execution and the list of processes in the system (a thread not belonging to any process is a sign of a hidden process), or the list of files seen at high-level, and comparing it with the files it manually reads from the disk partition.

Nonetheless, once you are infected, it is possible for a virus to conceal its presence so good that it's almost impossible to detect. Those are usually termed APTs (advanced persistent threat).

Solution 3:

Background

The operating system has a component known as the kernel. One of the kernel's (many) responsibilities is to manage system memory (both physical and virtual).

As part of doing this, the kernel splits the available memory into two distinct regions known as user mode and kernel mode. The kernel and drivers share the kernel mode memory, and user programs and less critical system components reside in the user mode memory region.

Processes in user mode can not generally communicate with those in kernel mode, except through specially designated and controlled channels.

For completeness it should be mentioned that processes running in user mode are also isolated from each other, but can more freely communicate with each other using facilities provided by the operating system provided that the programs are designed to do so.

Processes

The kernel provides the ability to launch processes in user mode. When a process is created it is added to an internal list of processes that currently exist. When a program such as Task Manager asks for a list of processes, it receives a subset of the information in this list, filtered by per user permissions.

One means for malware such as a rootkit to hide its existence is to directly remove itself from this table. Having done this it can still execute, but would no longer appear on a process list obtained by normal means.

Since these processes still actually exist and execute, they could be found by inspection of other kernel data structures, such as handle tables, which hold information about resources a process has open (e.g. files), or by examining memory allocations from which it is more difficult to hide without hindering the software's ability to function.

Kernel Mode Drivers

Kernel Mode drivers used for many things including interacting with physical hardware devices. They execute under the control of the kernel as necessary, but since they are not a user-mode process they do not appear in the table of processes. and hence will not appear in Task Manager, or other tools concerned exclusively with processes.

Being able to run code in kernel mode is an important step to being able to effectively hide the existence of executing code. Under normal circumstances Windows requires that code in kernel mode be signed in order to run, so malware may need to use exploits in the operating system, other software, or even social engineering to get here, but once code is executing in kernel mode, hiding becomes easier.

Summary

In summary, it's possible to hide evidence of a processes existence, there's likely always going to be some indication that the process exists, because it will generally always need to use some form of resource in order to do whatever it was designed to, how difficult that detection is depends on the specific malware.

Solution 4:

Viruses are pretty sophisticated nowadays. There can be a virus on your computer but not showing up in Task Manager. It is possible for Task Manager (and other parts of the operating system) to themselves be compromised, thus hiding the virus. For example, a rootkit.

If you're planning on relying on Task Manager to check for viruses, then you should stop now. Install an antivirus, and even an antivirus will sometimes fail to detect a virus on your PC.

Related

Building a minimal plugin architecture in Python
What Java 8 Stream.collect equivalents are available in the standard Kotlin library?
How to initialize std::vector from C-style array?
Java equivalent to C# extension methods
Where does gcc look for C and C++ header files?
Ignore modified (but not committed) files in git?
How to add a new row to an empty numpy array
How can I improve my paw detection?
WARNING: API 'variant.getJavaCompile()' is obsolete and has been replaced with 'variant.getJavaCompileProvider()'
disable maven download progress indication
git log of a single revision
C++ compiling on Windows and Linux: ifdef switch [duplicate]