What are these Windows processes on Linux?

59

10

I checked in htop what is running on the system and found/saw something that I don't know what it is, Windows Desktop and explorer.exe. I'm using Ubuntu Linux and there is no Windows on this laptop.

Here is the image of the process

Output of htop, showing "C:\Windows\system32\explorer.exe /desktop" & "C:\Windows\system32\services.exe"

How can I find out what these are?

~$ ps -aux | grep "explorer.exe\|services.exe"
root      3110  0.0  0.0 2645728  352 ?        Ssl  06:45   0:00 C:\windows\system32\services.exe
root      3413  0.0  0.0 2658592 1440 ?        Ssl  06:45   0:00 C:\windows\system32\explorer.exe /desktop
root     20817  0.0  0.0  14360  2408 pts/4    S+   15:20   0:00 grep --color=auto explorer.exe\|services.exe

VLS

Posted 2017-04-10T11:45:44.723

Reputation: 661

69I knew it! The truth has finally been revealed! Ubuntu was Windows all along! – Matti Virkkunen – 2017-04-10T23:48:49.327

16Are you... running your GUI session as root? I hope you aren't, because that's a very bad idea as far as security is concerned. – Léo Lam – 2017-04-11T09:41:24.307

@LéoLam, Yes, I'm.. I'm not that familiar yet with creating users etc. – VLS – 2017-04-11T11:17:53.750

4@LéoLam oops! don't do that! – dalearn – 2017-04-12T01:14:47.910

Answers

50

Some Windows apps running in Wine or front-ends to Wine like PlayOnLinux or Crossover leave explorer.exe and other Windows executables open after they are closed. Try running some of your Wine applications one by one and check in htop for explorer.exe after you close them.

Or run this command in the terminal:

ps -aux | grep "explorer.exe\|services.exe"

The two Windows processes in your question have been running for more than 8 hours. Possibly they have been running since right after Ubuntu booted. Kill the PIDs of explorer.exe and services.exe and check if these two processes come back afterwards. To kill the PIDs of explorer.exe and services.exe in the example in your question use this command:

kill 3413 3110

The results of running the above command showed that the two Windows processes have been running since startup. Open the built-in Startup Applications app which shows a list of all Additional startup programs in your operating system.

Startup Applications showed only a normal Ubuntu startup program in the list of additional startup programs. Run the following command right after the next time you start up Ubuntu to show what process forked what so you may get a better idea what process is calling your two Windows processes.

ps auxf

karel

Posted 2017-04-10T11:45:44.723

Reputation: 11 374

2I don't have anything windows related. Not even Wine.. I have only mono installed but I didn't run it since 1 month.. I'm not familiar with linux that much and I'm not what is Wine at all.. – VLS – 2017-04-10T12:05:04.393

I've updated my question with output of the command – VLS – 2017-04-10T12:21:55.427

Yes, they are running since system boot e.g. on startup. After I kill them there not presenting on ps -aux .... Is there a way to see startup programs like on windows? – VLS – 2017-04-10T13:00:46.063

2There is a built-in Ubuntu application to see startup programs called Startup Applications. Search for Startup Applications in the Dash and click on the icon to open it. – karel – 2017-04-10T13:05:52.800

Only one program appears there SSH Key Agent. GNOME Keyring: SSH Agent – VLS – 2017-04-10T13:08:28.603

1Thanks for the help. Really appreciated it. I will continue to monitor it and if there is still such things like windows processes will try to find out why and what make them starting. – VLS – 2017-04-10T13:30:50.233

2Those are very definitely some version of wine, even if it's built-in to another program - I know of no other linux program which would report C:\ paths like that, and wine definitely does that for programs running inside it. Are you sure that you don't have wine or another cross-over app using wine installed? – daboross – 2017-04-11T01:09:19.457

@DaboRoss I'm almost 99% sure. I've using this Linux OS since 2-3 months and still getting familiar with it. I'm sure that I didn't installed wine or apps which are using it. I have few programs installed here. – VLS – 2017-04-11T06:15:41.100

Only possibility that I can think is if Mono using some sort of Wine.. and starting the processes – VLS – 2017-04-11T06:25:12.023

3@VLS Mono can use wine, yes. It may have automatically installed some wine components when you installed mono. Also wine may have been automatically installed when you tried to install a windows application, possibly without you realising it (not sure if Ubuntu does that out-of-the-box, I normally disable automatic installation and such things). – Micheal Johnson – 2017-04-11T07:43:26.930

13Other examples of programs using Wine without telling you: TeamViewer, Picasa. – reinierpost – 2017-04-11T08:54:08.510

18

Look at the /proc filesystem:

ls -l /proc/3413/exe

And it will show you the binary of the process. Under the directory, there are more pseudofiles giving useful information, and another useful one is cmd,

cat /proc/3413/cmd

giving you the arguments used to launch the process (if any).

Radovan Garabík

Posted 2017-04-10T11:45:44.723

Reputation: 331

Use of the direct approach for the win. – Joshua – 2017-04-12T02:52:14.047

Asked: 2017-04-10T11:45:44.723

Viewed: 8 531 times

Active: 2017-04-11T21:38:32.023