Both svchost.exe and winlogon.exe are listed as being both good (microsoft ness) and bad (trojans) which is it and how do you tell which ones are the good ones?

Thanks

Both svchost.exe and winlogon.exe are listed as being both good (microsoft ness) and bad (trojans) which is it

It can be both. For example, there could be the legit version in the Windows folder tree and a bogus one somewhere else in the file system.


and how do you tell which ones are the good ones?

One clue is the file's date and time or location - is it where it shouldn't be if it was the legit Microsoft version? Another is the process ID (PID) visible in the Task Manager - legit processes tend to have lower value PIDs than non-legit. A third is how the process gets executed - non-legits tend to be launched by the HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run registry keys. Generating a SHA (http://en.wikipedia.org/wiki/SHA-2) or MD5 (http://en.wikipedia.org/wiki/Md5) hash of the file with one of the freely available utilities and comparing to a hash made from a known good copy of the same file version from another system or extracted from the setup files on the Windows CD or last service pack can verify authenticity. Some files might have digital signatures (http://en.wikipedia.org/wiki/Digital_signature).

Resources:
Wikipedia - Windows Resource Protection (http://en.wikipedia.org/wiki/Windows_Resource_Protection)
MSDN - Windows Resource Protection (http://msdn.microsoft.com/en-us/library/aa382503(VS.85).aspx)
Wikipedia - System File Checker (http://en.wikipedia.org/wiki/System_File_Checker)