Scribd
Upload
23 views1 page

Windows Process Genealogy

The document outlines the Windows process genealogy, detailing the various processes that initiate at boot and their relationships. Key processes include smss.exe, csrss.exe, wininit.exe, and lsass.exe, with specific notes on their creation and behavior. It also mentions additional processes like runtimebroker.exe and taskhostw.exe that vary in their initiation.

Uploaded by

smalik.cybersec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views1 page

Windows Process Genealogy

The document outlines the Windows process genealogy, detailing the various processes that initiate at boot and their relationships. Key processes include smss.exe, csrss.exe, wininit.exe, and lsass.exe, with specific notes on their creation and behavior. It also mentions additional processes like runtimebroker.exe and taskhostw.exe that vary in their initiation.

Uploaded by

smalik.cybersec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Version 2.

Windows Process Genealogy


youtube.com/13cubed

System
1 @ boot

smss.exe
1 @ boot for master
+ 1 / session @ varies

csrss.exe1 wininit.exe1 winlogon.exe1


2 @ boot 1 @ boot 1 @ boot
+ 1 / session @ varies + 1 / session @ varies

services.exe lsaiso.exe3 lsass.exe userinit.exe


1 @ boot 0 / 1 @ boot 1 @ boot spawns explorer.exe & exits

svchost.exe explorer.exe2
many @ boot 1 @ first interactive logon
+ 1 / interactively logged-on user

runtimebroker.exe taskhostw.exe
? 1 @ varies ? 1 @ varies

Note: Registry and MemCompression, used for registry hive


management and memory optimization respectively, are also child
processes of System. Expect one of each at boot.
1Created by an instance of smss.exe that exits, so analysis tools
usually do not provide the parent process name.

2Created by an instance of userinit.exe that exits, so analysis tools


usually do not provide the parent process name.

3 Present only when Credential Guard is enabled. Functionality of


lsass.exe is split between itself and this process.

You might also like