From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
When I start my pc, (Nobara 43) Memory is up to 70% usage. I dual boot, but use Windows like 5% of the time. I have a Swap partition (64gb), but it shows 0b usage. Is it safe to kill the windows process? Can anyone shed some light into whats going on? I was starting to think this is sketchy lol
you dual boot, why would there be a 'windows' process running on linux side? this doesn't make sense. unless there's some program you use on linux that is named 'windows' i'm inclined to believe this is a malware of some sort, maybe a crypto miner if it uses that much resource.
yeah thats what i thought :/ how tf do i get rid of this?
Assuming this is malware, depending on the complexity it might be really hard to remove. The best course of action is much like on Windows; Backup your personal files, figure out how the malware got on your PC (so you can avoid it next time), then reinstall the operating system.
For backing up personal files, stick to documents, media, etc. Do not include executables (like installed games), and be very careful with config files (and system files), basically only back these up if you know what's in them is legitimate.
You can find more about the process in the /proc/4212/ directory (this is the number on the left in top). By running ls -l, you should be able to see where the exe symlink points to, which tells you where the program is installed. This might give you a clue as to where it came from (or it might not, depending on how the malware is made). If you suspect it is not malware, due to information on your system, look it up online before trusting it. I have personally never seen a root-owned ""windows"" process, which is why I'm heavily leaning towards this being malware.
If you feel like you know where the malware came from, or you're stuck and are struggling to find out more, you should reinstall your operating system to get rid of the malware. Malware can have different levels of complexity, what you're seeing on the surface might be the whole thing, or it could have more complex systems to reinstall itself after removal. Which is why reinstalling your operating system is the safer option.
Thanks, this is useful info. It doesnt appear to be restarting itself after I killed the process. Is this a good sign?
This doesn't really say much; this could be legitimate software thinking it crashed, or it could be malware trying to hide itself.
Try seeing if sudo find / -type f -name windows tells you anything about where it's installed. This command searches through / (all files) to find a file (-type f) that is named windows (the same as the process name).
find will catch more if you wildcard the name with "windows", but that's a moot point: we don't have enough info to jump to "malware" conclusions here.
Looking for malware by hunting for the name in a procid list won't usually get far, you'd be better to netstat to see what various processes are listening or phoning home to confirm suspicions of malware.
weird 
Heavily leaning towards malware; normal software tends to name itself the same on disk and in ram, this seems to be it trying to hide itself.
Since there's now nothing to go off of for how this got on your system, the best course of action is to back up your documents and reinstall your system fresh. To avoid malware in the future, stick to the built-in app store and system repositories where possible.
it'll probably be back running once you reboot. better find out where on your storage it is, why is it starting and where did it come from.
Its not showing after reboot. I wanted to trace it back but theres no trace, hmm
Maybe reinstall OS and update bios? I'm not too sure myself.
I think I solved it? I ran
sudo kill -9 <PID>
(PID being 4212 in my case)
Memory usage is back to normal afer a reboot, seems fine!
That command only killed the process, in other words, it "closed the program". Rebooting the computer would have had the same exact effect. The application is still in your computer, unless it decided to self-destruct.
Do you use WinBoat? Because this is exactly how my WinBoat Windows VM presents using top. htop shows the qemu-system command, and btop shows both.
OP may have some confusion about what dual-boot means. WinBoat running in the background is the best plausible explanation for this, IMO.
Yeah, it's almost certainly a VM.
Yeah it's most likely that! Thanks
you should update the OP with this information
If you want to confirm that, launch one or all of your WinBoat apps. While they are running, run pidof windows. If that gave some pids, run pstree -sp <pid>. That command shows the parent processes, with their pids, of the <pid> . WinBoat probably should be among the parents of the “windows” process.
to me it sounds like something trying to hide in a windows system (where a process like that wouldn't stand out). but it running in your linux system probably means it sits in something other than your storage (like your boot sector or bios).
Fuck?
out of curiosity, which directory is this weird thing located in?
Seemed to be /proc/4212 but its gone after I killed the process.
/proc is a special directory that is populated by procfs, a special kind of filesystem. It contains information about running processes. Each sub-directory contains information for one process. When you launch an application, it's assigned some process id. Every time you launch the application, it gets a different process id.
Use ps -ef to find the source of the file.
C'est une très bonne nouvelle, et un effet bénéfique du marasme dans lequel nous nous trouvons actuellement.
Maybe it's fastboot and windows is actually running in the background?
nope, that's not how things work
