Core Windows Processes

Process explorer (displays more info than taskmgr)

you can use the following powershell commands in Windows

system: tasklist , Get-Process or ps

the processes with no depiction of a parent-child relationship should not have a

Parent Process under normal circumstances, except for the System process,
which should only have System Idle Process (0) as its parent process.

System
The first Windows process on the list is System.

a PID for any given process is assigned at random, but that is not the case
for the System process. The PID for System is always 4.

"The System process (process ID 4) is the home for a special

kind of thread that runs only in kernel mode a kernel-mode
system thread. System threads have all the attributes and
contexts of regular user-mode threads (such as a hardware
context, priority, and so on) but are different in that they run only

Core Windows Processes 1

 in kernel-mode executing code loaded in system space, whether
that is in Ntoskrnl.exe or in any other loaded device driver. In
addition, system threads don't have a user process address
space and hence must allocate any dynamic storage from
operating system memory heaps, such as a paged or nonpaged
pool."

what is normal and abnormal behaviour for this process?

Normal Behaviour Abnormal Behaviour

Image Path: N/A or

C:\Windows\system32\ntoskrnl.exe (NT OS Image Path: Other
Kernel)

Parent Process: None or System Idle Process A parent process (aside from System Idle
(0) Process (0))

A different PID. (Remember that the PID

Process PID 4
will always be PID 4)

Multiple instances of System. (Should only

Number of Instances: One
be one instance)

User Account: Local System User Account: Not local System

Start Time: At boot time Start Time: Not at boot time

Running in Session 0 Not running in Session 0

Core Windows Processes 2

 smss.exe (Session Manager Subsystem)
It is responsible for creating new sessions. It is the first user-mode process
started by the kernel.

SMSS is also responsible for creating environment variables, virtual memory

paging files.

This process starts the kernel and user modes of the Windows subsystem,
this subsystem includes :

win32k.sys (kernel mode)

winsrv.dll (user mode)

csrss.exe (user mode)

Smss.exe starts :

csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated

Windows session for the operating system

csrss.exe and winlogon.exe for Session 1, which is the user session.

Core Windows Processes 3

 The first child instance creates child instances in new sessions, done by
smss.exe copying itself into the new session and self-terminating.

Session 0 (csrss.exe & wininit.exe)

Session 1 (csrss.exe & winlogon.exe)

Any other subsystem listed in the Required value

of HKLM\System\CurrentControlSet\Control\Session Manager\Subsystems is also
launched.

Normal Behaviour Abnormal Behaviour

Core Windows Processes 4

 Image Path: The image path is different from
%SystemRoot%\System32\smss.exe C:\Windows\System32

A different parent process other than System

Parent Process: System (4)
(4)

Number of Instances: One master instance More than one running process. (children
and child instance per session. - The child self-terminate and exit after each new
instance exits after creating the session. session)

User Account: Local System The running User is not the SYSTEM user

Start Time: Within seconds of boot time for

Start Time: -
the master instance

Unexpected registry entries for

Subsystem

csrss.exe (Client Server Runtime Process)

the user-mode side of the Windows subsystem.

If this process is terminated by chance, it will result in system failure.

This process is responsible for the Win32 console window and process thread
creation and deletion.

For each instance, csrsrv.dll, basesrv.dll, and winsrv.dll are loaded (along with
others).

This process is also responsible for making the Windows API available to other
processes, mapping drive letters, and handling the Windows shutdown process.

what is normal and abnormal behaviour for this process?

Normal Behaviour Abnormal Behaviour

Image Path: Image file path other than

%SystemRoot%\System32\csrss.exe C:\Windows\System32

Parent Process: Created by an instance of An actual parent process. (smss.exe calls

smss.exe this process and self-terminates))

Subtle misspellings to hide rogue

Number of Instances: Two or more processes masquerading as csrss.exe in
plain sight

User Account: Local System The user is not the SYSTEM user.

Core Windows Processes 5

 Start Time: Within seconds of boot time for the
first two instances (for Session 0 and 1). Start
times for additional instances occur as new
sessions are created, although only Sessions 0
and 1 are often created.

wininit.exe (Windows Initialization Process)

The windows initialization process is responsible for initializing and setting a lot
of things.

It sets the default environment variables (USERPROFILE,

ALLUSERPROFILE, PUBLIC, and ProgramData).

It creates the LSASS process and sets the LSA encryption key.

It creates the Services Control manager by launching the SERVICES.EXE

process

It creates the temp directory in the system root (%Systemroot%\Temp).

…Etc.

wininit.exe is responsible for launching services.exe (Service Control Manager),

lsass.exe (Local Security Authority), and lsaiso.exe within Session 0.

It is another critical Windows process that runs in the background, along with its
child processes.

Note: lsaiso.exe is a process associated with Credential Guard and

KeyGuard.

You will only see this process if Credential Guard is enabled.

what is normal and abnormal behaviour for this process?

Normal Behaviour Abnormal Behaviour

Image Path: Image file path other than

%SystemRoot%\System32\wininit.exe C:\Windows\System32

Parent Process: Created by an instance of An actual parent process. (smss.exe

smss.exe calls this process and self-terminates)

Number of Instances: One Multiple running instances

User Account: Local System Not running as SYSTEM

Start Time: Within seconds of boot time

Core Windows Processes 6

 Subtle misspellings to hide rogue
processes in plain sight

wininit.exe > services.exe (Service Control Manager

(SCM))
Its primary responsibility is to handle system services: loading services,
interacting with services and starting or ending services.

This process is the parent to several other key processes: svchost.exe,

spoolsv.exe, msmpeng.exe, and dllhost.exe, to name a few.

what is normal and abnormal behaviour for this process?

Normal Behaviour Abnormal Behaviour

Image Path: Image file path other than

%SystemRoot%\System32\services.exe C:\Windows\System32

Parent Process: wininit.exe A parent process other than wininit.exe

Number of Instances: One Multiple running instances

User Account: Local System Not running as SYSTEM

Start Time: Within seconds of boot time

Subtle misspellings to hide rogue

processes in plain sight

It maintains a database that can be queried using a Windows built-in

utility, sc.exe .

cmd.exe

C:\Users\Administrator> sc.exe
DESCRIPTION:
SC is a command line program used for communicating with the
Service Control Manager and services.
USAGE:
sc <server> [command] [service name] <option1> <option2>...

Information regarding services is stored in the registry,

HKLM\System\CurrentControlSet\Services .

Core Windows Processes 7

 This process also loads device drivers marked as auto-start into memory.

When a user logs into a machine successfully, this process is responsible for
setting the value of the Last Known Good control set (Last Known Good
Configuration),
HKLM\System\Select\LastKnownGood , to that of the CurrentControlSet.

Core Windows Processes 8

 wininit.exe > services.exe > svchost.exe (Service
Host)
svchost.exe is responsible for hosting and managing Windows services.

The services running in this process are implemented as DLLs.

The DLL to implement is stored in the registry for the service under the
Parameters subkey in ServiceDLL.

Since svchost.exe will always have multiple running processes on any Windows
system, this process has been a target for malicious use.

Adversaries create malware to masquerade as this process and try to hide

amongst the legitimate svchost.exe processes.

Core Windows Processes 9

 They can name the malware svchost.exe or misspell it slightly, such as
scvhost.exe. By doing so, the intention is to go under the radar.

Another tactic is to install/call a malicious service (DLL).

what is normal and abnormal behaviour for this process?

Normal Behaviour Abnormal Behaviour

Image Path: Image file path other than

%SystemRoot%\System32\svchost.exe C:\Windows\System32

A parent process other than

Parent Process: services.exe
services.exe

Number of Instances: Many

User Account: Varies (SYSTEM, Network Service,

Local Service) depending on the svchost.exe
instance. In Windows 10, some instances run as the
logged-in user.

Start Time: Typically within seconds of boot time.

Other instances of svchost.exe can be started after
boot.

Subtle misspellings to hide rogue

processes in plain sight

There is a key identifier in the binary path, and that

The absence of the -k parameter in
identifier is -k . This is how a legitimate svchost.exe
the Command line
process is called.

wininit.exe > lsass.exe (Local Security Authority

Subsystem Service)
(LSASS) is a process in Microsoft Windows operating systems that is
responsible for enforcing the security policy on the system.

It creates security tokens for SAM (Security Account Manager), AD (Active

Directory), and NETLOGON.

It uses authentication packages specified

in HKLM\System\CurrentControlSet\Control\Lsa .

Core Windows Processes 10

 Lsass.exe is another process adversaries target.

Common tools such as mimikatz are used to dump credentials, or adversaries

mimic this process to hide in plain sight. Again, they do this by either naming
their malware by this process name or simply misspelling the malware slightly.

what is normal and abnormal behaviour for this process?

Normal Behaviour Abnormal Behaviour

Image Path: Image file path other than

%SystemRoot%\System32\lsass.exe C:\Windows\System32

Parent Process: wininit.exe A parent process other than wininit.exe

Number of Instances: One Multiple running instances

User Account: Local System Not running as SYSTEM

Start Time: Within seconds of boot time

Subtle misspellings to hide rogue processes

in plain sight

smss.exe(non-existent) > winlogon.exe (Windows

Logon)

Core Windows Processes 11

 winlogon.exe is responsible for handling the Secure Attention Sequence
(SAS). It is the ALT+CTRL+DELETE key combination users press to enter their
username & password.

This process is also responsible for loading the user profile.

It loads the user’s NTUSER.DAT into HKCU, and userinit.exe loads the
user’s shell.

It is also responsible for locking the screen and running the user’s screensaver,
among other functions.

what is normal and abnormal behaviour for this process?

Normal Behaviour Abnormal Behaviour

Image Path: Image file path other than

%SystemRoot%\System32\winlogon.exe C:\Windows\System32

Parent Process: Created by an instance of smss.exe

An actual parent process. (smss.exe
that exits, so analysis tools usually do not provide the
calls this process and self-terminates)
parent process name.

Number of Instances: One or more

Core Windows Processes 12

 User Account: Local System Not running as SYSTEM

Start Time: Within seconds of boot time for the first

instance (for Session 1). Additional instances occur
as new sessions are created, typically through
Remote Desktop or Fast User Switching logons.

Subtle misspellings to hide rogue

processes in plain sight

Shell value in the registry other

than explorer.exe

explorer.exe Windows Explorer

This process gives the user access to their folders and files. It also provides
functionality for other features, such as the Start Menu and Taskbar.

the Winlogon process runs userinit.exe, which launches the value

in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell .

Userinit.exe exits after spawning explorer.exe. Because of this, the parent

process is non-existent.

what is normal and abnormal behaviour for this process?

Normal Behaviour Abnormal Behaviour

Image Path: %SystemRoot%\explorer.exe Image file path other than C:\Windows

Parent Process: Created by userinit.exe and An actual parent process. (userinit.exe

exits calls this process and exits)

Number of Instances: One or more per

interactively logged-in user

User Account: Logged-in user(s) Running as an unknown user

Start Time: First instance when the first interactive

user logon session begins

Subtle misspellings to hide rogue

processes in plain sight

Outbound TCP/IP connections

Core Windows Processes 13