There are a variety of Linux and Windows out-of-the-box running process filters that are turned on and used for filtering processes.

Tableau 1. Linux out-of-the-box filters

Name	Description
dhclient	dhclient is a system process in Linux that is responsible for dynamically configuring network interfaces using the Dynamic Host Configuration Protocol (DHCP). It communicates with a DHCP server to obtain network configuration information, such as IP address, subnet mask, default gateway, and DNS servers. dhclient is commonly used in environments where network addresses are assigned dynamically, such as in home and small business networks.
crond	crond is a system service in Linux that provides support for the cron scheduling utility. It is responsible for running scheduled jobs at specified times and intervals. crond is commonly used for automating system maintenance tasks, such as backups and log rotation, as well as for running user-defined scripts and applications at specific times.
sleep	The sleep process is a command that is used to pause the execution of a shell script or a command for a specified amount of time. It is a simple way to delay the execution of a script or command for a specific duration.
agetty	agetty is a system service in Linux that manages virtual console login sessions. It provides a terminal interface for users to log in to the system and access the command line interface. agetty is responsible for initializing the terminal, displaying the login prompt, and authenticating the user's credentials.
dbus-daemon	dbus-daemon is a system service in Linux that implements the D-Bus message bus system. It is responsible for enabling communication between applications and system services on the same host or on a network. dbus-daemon manages the message bus and dispatches messages between applications and services, allowing them to exchange data and request services from each other.
rsyslogd	rsyslogd is a system service in Linux that manages system logs and provides centralized logging capabilities. It is a powerful and flexible logging system that allows administrators to configure and manage log messages generated by various applications and services on a system or across a network. rsyslogd provides advanced features such as log filtering, log forwarding, and log rotation, and supports a variety of output formats and destinations, including files, databases, and remote syslog servers. rsyslogd is commonly used in server environments and can be configured using a configuration file or a graphical user interface.
auditd	auditd is a system service in Linux that provides an auditing framework for tracking security-relevant events on the system. It collects and logs security events generated by the kernel and user space applications, which can be used for forensic analysis, compliance monitoring, and intrusion detection. auditd can be configured to generate alerts or take other actions based on predefined rules or policies.
irqbalance	irqbalance is a system service in Linux that balances interrupt requests (IRQs) among processors in a multicore system to improve performance and reduce latency. It detects and monitors IRQ activity and redistributes IRQs to the least busy processor, which can help to reduce processing bottlenecks and improve system responsiveness. irqbalance is commonly used in high-performance computing environments and other systems with high levels of interrupt activity.
systemd-journald	systemd-journald is a system service in Linux that provides a centralized logging system for system and application logs. It is designed to collect and store log data in a structured and efficient manner and allows for advanced querying and filtering of log data. systemd-journald provides a unified interface for accessing and managing logs across different Linux distributions and can be configured using a configuration file or a command-line interface. It is commonly used in server and desktop environments to monitor and troubleshoot system and application issues.
abrtd	abrtd is a system process that runs on Linux systems and is responsible for detecting and reporting application crashes to the system administrator. The process collects information about the crashed application, such as core dumps, and stores them in a report.
atd	atd is a system service in Linux that allows for the scheduling of one-time jobs to be executed at a specific time and date. It is useful for running jobs that need to be executed at a specific time or for automating tasks that need to run once in the future.
lvmetad	lvmetad is a system service in Linux that provides metadata caching for Logical Volume Management (LVM). It caches metadata information about LVM volumes and devices, which can improve the performance of LVM operations and reduce the time needed to scan and initialize LVM devices. lvmetad is commonly used in systems that rely heavily on LVM, such as virtualization environments and storage servers.
polkitd	polkitd is a system service in Linux that provides an authorization framework for controlling access to privileged actions and resources. It enables non-privileged users to perform specific tasks or access certain resources that require elevated privileges, such as installing software or configuring network settings, by prompting them to authenticate using their password or other means. polkitd provides a policy engine that can be configured by administrators to define fine-grained access controls for specific users, groups, or applications.
acpid	acpid is a system service in Linux that listens for ACPI (Advanced Configuration and Power Interface) events generated by the hardware and notifies the operating system. It is responsible for managing power events, such as power button presses, and executing user-defined actions in response to them.
anacron	anacron is a system service in Linux that allows for the scheduling of periodic jobs, similar to cron, but with the added ability to ensure that missed jobs are executed when the system next becomes available. It is useful for running periodic tasks that may be delayed due to system downtime or user inactivity.
(sd-pam)	sd-pam is a system service in Linux that provides support for the Pluggable Authentication Modules (PAM) framework. It is responsible for handling user authentication and authorization requests from various system services and applications.
NetworkManager	NetworkManager is a system service in Linux that manages network connectivity for desktops, laptops, and other devices. It provides a unified interface for configuring and managing wired, wireless, mobile broadband, and other network connections, handling IP addressing, DNS configuration, and other network settings. NetworkManager is commonly used in desktop environments and graphical user interfaces and can be configured using a graphical user interface or command-line interface.
hcid	hcid is a system service in Linux that provides support for Bluetooth connectivity. It is responsible for managing Bluetooth devices, connections, and services on the system. hcid provides an interface for applications and system services to interact with Bluetooth devices and is used to configure and manage Bluetooth-related settings, such as device pairing, authentication, and authorization.
hidd	hidd is a system process in Linux that provides support for Bluetooth human interface devices (HID), such as keyboards and mice. It is responsible for managing Bluetooth connections and providing a common interface for HID devices to communicate with the system. hidd is commonly used in desktop environments to enable wireless input devices to be used with the system.
iscsid	iscsid is a system process in Linux that provides support for the iSCSI protocol, which is used to access storage devices over a network. It is responsible for discovering iSCSI targets, establishing and managing iSCSI sessions, and providing access to iSCSI devices as if they were locally attached storage. iscsid is commonly used in virtualization environments and other systems that require remote access to storage resources.
klogd	klogd is a system process in Linux that is responsible for logging kernel messages to the system log. It monitors the kernel log buffer for new messages and writes them to the system log file or sends them to a remote logging server. klogd is commonly used for troubleshooting kernel issues and monitoring system activity, as well as for collecting diagnostic information for system administrators and developers.
mingetty tty1	mingetty tty is a system process in Linux that provides a terminal login prompt on a virtual console. It is responsible for initializing the terminal device, displaying the login prompt, and accepting user login credentials. mingetty tty is used for each virtual console in a Linux system and can be used for system administration and debugging tasks, as well as for running console-based applications.
ModemManager	ModemManager is a system service in Linux that manages mobile broadband (GSM/CDMA/UMTS/LTE) and other modem connections. It provides a unified interface for configuring and managing modem devices, handling connections to the internet or other networks, and monitoring modem activity. ModemManager is commonly used on laptops, tablets, and other mobile devices that require wireless network connectivity.
pcscd	pcscd is a system service in Linux that provides support for smart card readers and smart cards. It enables applications to access smart cards and their content using the PC/SC (Personal Computer/Smart Card) interface standard. pcscd provides a unified interface for accessing various types of smart card readers and can be used by applications such as web browsers, email clients, and authentication systems that require smart card support.
power-profiles-daemon	power-profiles-daemon is a system service in Linux that manages power profiles and power management settings for laptops and other mobile devices. It provides a unified interface for configuring and managing power-saving features, such as screen brightness, CPU frequency scaling, and suspend modes, based on user preferences and system usage patterns. power-profiles-daemon is commonly used in desktop environments and graphical user interfaces and can be configured using a graphical user interface or command-line interface.
pulseaudio	pulseaudio is a system service in Linux that manages audio devices, streams, and applications. It provides a unified audio interface for both input and output audio streams and supports advanced features such as volume control, mixing, and audio effects. pulseaudio is commonly used in desktop environments and graphical user interfaces and can be configured using a graphical user interface or command-line interface. It supports a variety of audio hardware and software configurations, including multiple audio devices and network audio streaming.
chronyd	chronyd is a system service in Linux that is responsible for synchronizing the system clock with a reference time source. It implements the Network Time Protocol (NTP) and can be used to synchronize the system clock with a variety of time sources, including GPS clocks and atomic clocks. chronyd is commonly used in environments where accurate time synchronization is important, such as in financial trading or scientific research.
rtkit-daemon	rtkit-daemon is a system service in Linux that provides real-time scheduling and priority management for audio and other time-sensitive applications. It is designed to ensure that these applications get access to the CPU and other system resources they need to function properly and avoid audio glitches, latency, or other performance issues. rtkit-daemon uses the Linux real-time capabilities and provides a simple interface for applications to request real-time scheduling and priority. It is commonly used in desktop environments and audio applications and can be configured using a configuration file or a graphical user interface.
sssd	sssd is a system service in Linux that provides centralized authentication, identity, and access management for a variety of services and applications. It is designed to simplify the management of user accounts and credentials in large, multi-domain environments and provides a unified interface for authentication, authorization, and identity resolution. sssd supports a variety of identity sources, including local files, LDAP directories, and Active Directory domains, and provides advanced features such as offline authentication, caching, and failover. It is commonly used in enterprise environments and can be configured using a configuration file or a graphical user interface.
sssd_kcm	sssd_kcm is a system service in Linux that provides a Kerberos Credential Cache Manager for the System Security Services Daemon (SSSD). It is designed to improve the security and performance of Kerberos-based authentication and authorization by caching Kerberos credentials and tickets locally and providing a unified interface for accessing them. sssd_kcm is commonly used in enterprise environments that rely on Kerberos for centralized authentication and access control and can be configured using a configuration file or a graphical user interface.
systemd-hostnamed	systemd-hostnamed is a system service in Linux that provides hostname and DNS resolution configuration. It is designed to simplify the configuration of network-related settings such as hostname, domain name, and DNS servers. systemd-hostnamed provides a unified interface for configuring these settings across different Linux distributions and can be configured using a configuration file or a command-line interface. It is commonly used in server and desktop environments to configure network settings during system startup or runtime.
systemd-timesyncd	systemd-timesyncd is a system service in Linux that provides time synchronization for the system clock. It synchronizes the system clock with a remote time server over the network and can be configured to use multiple time sources for redundancy. systemd-timesyncd is commonly used in server and desktop environments to ensure accurate timekeeping for various system and application functions.
hald	hald is a system service in Linux that is responsible for detecting and handling hardware events, such as the insertion and removal of storage devices and other hardware components. It provides a common interface for applications and system services to interact with the hardware and is used to configure and manage system resources, such as input devices and storage volumes. hald is commonly used in desktop environments to provide plug-and-play functionality for hardware devices.
xfs	xfs is a high-performance, journaling file system for Linux that is optimized for scalability and large files. It was originally developed by Silicon Graphics, Inc. for use in their IRIX operating system and was later ported to Linux. xfs supports features such as snapshots, online resizing, and advanced file permissions. It is commonly used in high-performance computing, media and entertainment, and other industries where handling large files and data sets is critical.
audispd	audispd is a system service in Linux that is responsible for processing audit events generated by the kernel's auditing subsystem. It is part of the Audit framework and is used to provide secure logging of system events for auditing and forensic purposes. audispd can be configured to send audit events to various targets, such as syslog or a centralized log server.
automount	automount is a system service in Linux that provides automatic mounting of file systems when they are accessed by users or applications. It allows for on-demand mounting of file systems, reducing the amount of time and system resources spent on unnecessary file system mounts. Automount is particularly useful in environments with large numbers of networked file systems or removable storage devices.
avahi-daemon: chroot helper	avahi-daemon is a system service in Linux that implements the zeroconf protocol for service discovery on local networks. The chroot helper is a component of avahi-daemon that is responsible for setting up a chroot environment for the service, which helps to increase security by limiting the access that avahi-daemon has to the system.

Tableau 2. Windows out-of-the-box filters

Name	Description
System Idle Process	In Windows operating system, "System Idle Process" is not actually a process, but rather a system idle task that runs when the CPU has nothing else to do. It represents the percentage of time the CPU is idle and available to handle other processes. So, it is an important system component that shows the current CPU usage when no other processes are running.
svchost.exe	svchost.exe is a Windows process that is responsible for hosting multiple Windows services. It acts as a host process for several system services and enables the efficient sharing of system resources among them. The services running under svchost.exe can include Windows Update, Windows Defender, Remote Procedure Call (RPC), and many others. By hosting these services under a single process, svchost.exe helps to reduce the memory footprint of the system and improve overall system performance.
wmiprvse.exe	wmiPrvSE.exe is a Windows system process that provides management information and control through the Windows Management Instrumentation (WMI) framework. It runs as a service in the background and allows applications and scripts to access system management information, perform administrative tasks, and monitor system performance. WmiPrvSE.exe can be run in both local and remote modes and can be used to manage a wide range of system resources, including hardware, software, and network components. It is an essential component of the Windows operating system and is typically used by system administrators and IT professionals.
conhost.exe	conhost.exe is a Windows process that serves as a host for console applications. It was introduced in Windows 7 and is responsible for managing the command prompt windows and other console-based applications. conhost.exe provides improved compatibility and security features compared to its predecessor, the csrss.exe process, which was used for the same purpose in older versions of Windows.
WUDFHost.exe	WUDFHost.exe is a Windows User-Mode Driver Framework (UMDF) Host Process that manages user-mode drivers running in the context of the Windows Driver Foundation (WDF). It provides a framework for developing and executing drivers in user mode rather than kernel mode, improving stability and reliability of the system. WUDFHost.exe is used for Plug and Play devices and other driver-based hardware components. It runs in the background and typically consumes low system resources.
LogonUI.exe	LogonUI.exe is a Windows system process that manages the Windows logon screen and user authentication. When a user attempts to log in to a Windows computer, LogonUI.exe displays the logon screen and prompts the user to enter their login credentials. Once the user's credentials are entered, LogonUI.exe verifies them and grants the user access to the system. LogonUI.exe is an essential component of the Windows operating system and should not be terminated or disabled.
csrss.exe	The csrss.exe process is a critical component of the Windows operating system. It is responsible for handling certain functions related to the graphical user interface (GUI), such as managing windows and consoles. The process runs in a separate session from the user's session to ensure stability and security of the operating system. It is an essential system process and should not be terminated unless there is a specific and valid reason to do so.
dllhost.exe	dllhost.exe is a Windows system process responsible for running and managing COM (Component Object Model) components. COM components are reusable software modules that can be accessed by other programs, and they are often used to facilitate inter-process communication between different applications. The dllhost.exe process hosts these COM components and ensures their proper execution and management. It is commonly used by a variety of Windows applications and services.
Fontdrvhost.exe	Fontdrvhost.exe is a Windows system process that manages the installation, removal, and enumeration of font files. It is responsible for loading and rendering fonts in applications that use the Windows Font Cache Service. Fontdrvhost.exe runs in the background and does not have a visible interface. It is important for maintaining the system's font library and ensuring that fonts are available to applications when needed.
wlanext.exe	wlanext.exe is a Windows system process that provides support for wireless LAN (WLAN) configurations and operations. It is responsible for managing the wireless network adapters and implementing the functionality of the WLAN AutoConfig service, which enables automatic configuration of wireless networks and supports the Wi-Fi Protected Setup (WPS) protocol. The process runs in the background and can be managed through the Services console or the Command Prompt.
winlogon.exe	winlogon.exe is a system process in Windows that manages the login and logout of user sessions. It is responsible for authenticating users and loading their user profile upon login, as well as closing down any open applications and saving user data when a user logs off or shuts down the system. Winlogon.exe runs as a service in the background and is essential for the proper functioning of the Windows operating system.
unsecapp.exe	unsecapp.exe is a Windows system process that is related to the Distributed Component Object Model (DCOM). It runs in the background and acts as a mediator between a client and a server application that communicate using DCOM. When a client sends a request to a server using DCOM, unsecapp.exe is responsible for handling the security aspects of the communication and ensuring that the request is authorized. It is a legitimate system process and is typically located in the C:\Windows\System32 folder.
w3wp.exe	w3wp.exe is a Windows process that stands for Windows Process Activation Service Worker Process. It is used by the Internet Information Services (IIS) web server to host and manage ASP.NET web applications. w3wp.exe allows multiple web applications to run simultaneously on the same server, and it provides a secure, isolated environment for each application. It is a critical component of the IIS server and is often monitored closely to ensure the stability and performance of web applications.
dwm.exe	dwm.exe is a Windows system process that stands for Desktop Windows Manager. It is responsible for managing graphical effects, such as transparent windows and window animations, in the Windows operating system. The process is also responsible for rendering the desktop, managing windows, and providing visual effects such as Aero Glass. It was introduced with Windows Vista and has since been included in all subsequent versions of Windows.
lsass.exe	lsass.exe is a critical system process in Windows that handles authentication and security-related functions such as local and remote logon, password changes, and security policy enforcement. It is a core component of the Windows operating system and is required for the proper functioning of the system.
System	System is not a Windows process in the traditional sense. Instead, it refers to a collection of processes and services that are critical to the functioning of the operating system. These processes and services are responsible for managing hardware resources, handling system events, and providing essential functions like memory management, process scheduling, and security. In other words, System is the core of the Windows operating system.
smss.exe	smss.exe, or Session Manager Subsystem, is a critical system process in Windows that is responsible for launching user-mode applications during system startup. It also creates system threads, initializes system-wide data structures, and handles system shutdown and reboot requests. It is one of the first processes to start during the Windows boot process.
services.exe	services.exe is a system process in Windows responsible for managing system services, including starting and stopping them, and controlling their configuration settings. It runs in the background and provides essential functionality for the operating system.
wininit.exe	wininit.exe is a system process in Windows that runs during the startup process of the operating system. Its main function is to initialize critical system services and processes that are required for the system to function properly. It is responsible for running the Windows startup sequence, including launching the Session Manager (smss.exe) process.
spoolsv.exe	spoolsv.exe is a system service process in Windows that manages the printing process. It is responsible for queuing and spooling print jobs, communicating with the printer, and ensuring that each job is printed correctly. The process runs in the background and is critical for the proper functioning of the printing subsystem in Windows. If the spoolsv.exe process encounters errors, it can result in printing problems and errors.
taskhostw.exe	taskhostw.exe is a Windows system process that serves as a host for various background tasks that run on the system. It manages and executes tasks such as Windows updates, maintenance tasks, and user-defined tasks. It is a critical system process and terminating it can cause system instability.
SearchProtocolHost.exe	SearchProtocolHost.exe is a Windows process that is responsible for indexing and performing search operations on the system. It is a part of the Windows Search service, which allows users to quickly search for files and folders on their computer. The SearchProtocolHost.exe process runs in the background and indexes files and folders based on user-defined search criteria. When a search query is performed, the process is activated and retrieves the relevant search results.
SearchIndexer.exe	SearchIndexer.exe is a Windows system process that indexes files and folders on local and networked drives to enable faster searching. It runs in the background and continuously indexes new or changed files to maintain an up-to-date index database. The process is essential for Windows Search functionality and can be found on most Windows operating systems.
Explorer.exe	Explorer.exe is a core process in Windows operating systems responsible for providing the user interface, desktop, and file management functions. It is commonly referred to as the Windows Explorer or File Explorer, and allows users to navigate and manage files, folders, and applications on their computer.
SearchFilterHost.exe	SearchFilterHost.exe is a Windows system process that is responsible for indexing and searching files on the computer. It is a component of the Microsoft Windows Search service, which allows users to quickly search for files and documents on their computer. The process runs in the background and can use a significant amount of system resources while indexing files.
SCNotification.exe	SCNotification.exe is a Windows system process that is responsible for showing system notifications, such as alerts and messages, to the user. It is part of the Windows Shell Experience Host (ShellExperienceHost.exe) process, which manages the user interface for the Start menu, taskbar, and Action Center in Windows 10.
sihost.exe	sihost.exe is a system process in Windows that is responsible for launching the Start menu and handling its interactions. It is an essential part of the user interface and provides a graphical interface to interact with the system.
MonitoringHost.exe	MonitoringHost.exe is a legitimate system process that is a part of the Windows operating system. It is used by the Windows Error Reporting (WER) infrastructure to collect and send telemetry and diagnostic data to Microsoft, which is then used to improve the stability and performance of Windows.