How to disable features needing AgentSVR.Exe ?

Discussion in 'Trojan Defence Suite' started by halcy, Aug 10, 2003.

Thread Status:
Not open for further replies.
  1. halcy

    halcy Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    I'm a registered user of TDS-3.

    I'm not particularly happy that TDS-3 wants to load Microsoft Agent Server (agentsvr.exe) on start up.

    I have all speech related things disabled in TDS-3 Prefs.

    Isn't there anything I can do to disable this server? It is started by TDS-3, which requests its functionality. If I quite TDS-3 AgentSvr.exe quits as well, but then I have no real-time protection.

    Would it be possible to get this 'feature' fixed in a future release so that low memory system users can disable this?

    On my system AgentSvr.exe takes anything from 4 to 17 Mbytes of memory. That is way too much for a server that I absolutely do not need or use in any application.

    regards,
    Halcy
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Halcy and welcome!
    The agentsvr takes about 1mb or less untill used.
    In the TDS > System Analysis > Process list you can just kill that server if you want.
    Depending on your windows version the msagent functionallity is loaded by Windows at bootup so you might get problems in XP and ME, in Office programs, etc. if you kill it.
    The speech engines are somewhere installed in the system and don't eat resources either till used.
    With a program like TaskInfo you can see how much is the load and the actual use at the moment of all running programs.

    Are there other programs which might take unnecessary load, if you want us to look with you at some settings and what you do have actually running?
    For instance with a hijackthis log?
     
  3. halcy

    halcy Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    Thanks Jooske for the comments.

    I don't have any software installed except TDS-3 that insists on starting AgentSvr.exe (no, not runnin office or any silly MSAgent updates).

    I never ever have this process running, unless I start TDS-3. I have also verified this startup dependency with Process Explorer.

    Currently, with all speech/agent features disabled in TDS-3, AgentSvr.exe takes up 4.3 MB RAM on my computer. So much for 1 MB :)

    I also know that I can kill it.

    However, I boot my computer daily, so it gets a little tedious to kill this process every single time I boot up.

    I mean, why does TDS-3 has to start up AgentSvr.exe, when I have all the associated features turned off.

    I don't want AgentSvr and in fact, consider it another potential (albeit currently theoretical) security issue.

    Why does TDS-3 insist on starting it?

    Why not make it a user selectable option?

    regards,
    Halcyon
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    + AGENTSVR.EXE

    %CPU 0,04% (in my case having it active) Percent of CPU usage by process or thread.

    LT % CPU 0,03% Long time averaged percent of CPU usage by process or thread. You can set wide of averaging window from 4 to 60 seconds in “
    Preferences/Set Averaging Time for LT %CPU” menu. It is useful when you tune your application or System.

    CPU 0:02   Total CPU time used by process or thread.

    Sw/s 1   Number of CPU switches for process or thread.

    InMem KB    100 Physical memory currently used by process. In WinNT/2000 it is called Working Set.

    Total KB   4.464 Total Virtual Memory Space currently allocated for process.

    Th 2    Number of threads in process.

    Pri Norm System priority for process or threads. Thread priority shows absolute level consisting of two digits -- base and effective priority. Base thread priority is defined by process base priority and thread priority set by process itself. Current thread priority deviates slightly around base thread priority. The system moves it higher when a thread is blocked (waiting) on something (for example in the process of File IO). This is to enable a faster start of this thread’s execution when it is unblocked (File Reading ending, for example). For a similar reason, the priority is lowered when the thread is executing for a significant time.

    Ver 4,0   Version of Windows for which this process is built. For Example Processes build for Win95 and NT 4.0 have version 4.0

    State 32     State of processes defined only in Win9x now. In WinNT and Win2000 it is blank for processes and has different flags for threads in 9x and NT.   This shows whether the process is 16 or 32 bit code and GUI, Console applications or DOS Virtual Machine. For threads, it shows some state flags: Blocked, Idle, etc. For VM, it shows the DPMI state. You can see here next values:
       For Windows9x Applications:

    16   Win16 Application
    32   Win32 Application

    Con   If this is set than it is Win32 alphanumeric console application. Else it is Application with Graphic User Interface (GUI).
    Sys   This Application is System Service. This means that this Application is not deleted during User Logoff/Logons. Usually Applications of this type are needed for System to work correctly. So think please before trying to kill it.
    Dbg   Application attached to Debugger.
    DbgBlock   Application Blocked (temporary suspended) by Debugger.
    Terminating      
    Application in process of termination. Usually you can see this flag because it is waiting for ending of some input/output operation after you try to kill this application

    Faulted   Application perform some type of Fault and waiting for termination or start of debugger.
    For Dos Application:
    Dos   It is Dos Application.

    16   16 bit application
    32   32 bit application. It may be Protected mode application.

    DPMI   Dos Protected Mode Application. May be 16 or 32 bit.
    Suspend   Suspended.
    Block   Dos Application is Blocked on something. Most likely waiting for ending of some input/output (file read for example) operation.
    Idle   Application says that doesn’t wants CPU.
    For Thread you can see:
    In Windows9x:
    Ring0   So called Ring0 thread created and used by one of VxD. It formally belong to Kernel32.exe
    Block   Thread is Blocked on something. Most likely waiting for ending of some input/output (file read for example) operation. Maybe some synchronization between threads. In this state thread doesn’t use CPU.

    Suspend   Suspended.
    E-Handles   Usually means file input/output operation in progress.
    In NT and Win2000 most often you can see:
    Ready   Ready to run and wait for CPU. Normal situation is not have more than 3 ready to run threads all the time! In System Info Panel you can see number of ready to run threads in “Queue for CPU” field.
    Running   Thread is running on one of CPU. To see this state you must have at least two CPUs in your System! Because TaskInfo will run on one – thread will run on other.

    Wait XXXX   Wait for something (XXXX).


    Path   Path of process executable.
    C:\WINDOWS\MSAGENT\AGENTSVR.EXE


    Current Process Pane



    CMD =C:\WINDOWS\MSAGENT\AGENTSVR.EXE -Embedding
    Curr Dir =%TDSdir%
    Started by =%TDSdir%
    Data KB =2.552 in mem = 84 in use = 84
    Code KB =1.912 in mem = 16 in use = 16
    Handles Count =21
    Windows = 8

    This info comes from TaskInfo2000

    It's telling that's the size of the program, but now idle there is only 100kb in Mem, so even less then i thought.
    And remember i have it active with speech and everything waiting for commands.
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    AFAIU, its functionality got implemented because of user demands, but somehow the option you claim was either forgotten or just skipped because it was too complicated to implement (or for some other reasons that i don't know).
    I would suppose TDS-4 will have it in fact user-selectable and that until then, we just have to keep killing the thing. (I could imagine to automate this (à la browser popup killer), but then you have yet another thingy running.) It's not sooo tedious after all...
    (Just don't ask when TDS-4 will be out :D)

    CU,
    Andreas
     
Thread Status:
Not open for further replies.