Core Windows Processes
Intro
Part 1:
The first Windows process on the list is System. It was mentioned in a previous section that a PID for any given process is assigned at random, but that is not the case for the System process. The PID for System is always 4. What does this process do exactly?
The official definition from Windows Internals 6th Edition:
"The System process (process ID 4) is the home for a special kind of thread that runs only in kernel mode a kernel-mode system thread. System threads have all the attributes and contexts of regular user-mode threads (such as a hardware context, priority, and so on) but are different in that they run only in kernel-mode executing code loaded in system space, whether that is in Ntoskrnl.exe or in any other loaded device driver. In addition, system threads don't have a user process address space and hence must allocate any dynamic storage from operating system memory heaps, such as a paged or nonpaged pool."
What is user mode? Kernel-mode? Visit the following link to understand each of these.
Now, what is normal behaviour for this process? Let's use Process Explorer and view the properties of the System.
Image Path: N/AParent Process: NoneNumber of Instances: OneUser Account: Local SystemStart Time: At boot time
The information is slightly different if we view the System properties using Process Hacker.
Image Path: C:\Windows\system32\ntoskrnl.exe (NT OS Kernel)Parent Process: System Idle Process (0)
Technically this is correct. You may notice that Process Hacker confirms this is legit (Verified) Microsoft Windows.
What is unusual behaviour for this process?
Session 1 (csrss.exe & winlogon.exe)
Any other subsystem listed in the Required value of HKLM\System\CurrentControlSet\Control\Session Manager\Subsystems is also launched.
SMSS is also responsible for creating environment variables, virtual memory paging files and starts winlogon.exe (the Windows Logon Manager).
What is normal?
Image Path: %SystemRoot%\System32\smss.exeParent Process: SystemNumber of Instances: One master instance and child instance per session. The child instance exits after creating the session.User Account: Local SystemStart Time: Within seconds of boot time for the master instance
What is unusual?
As mentioned in the previous section, csrss.exe (Client Server Runtime Process) is the user-mode side of the Windows subsystem. This process is always running and is critical to system operation. If this process is terminated by chance, it will result in system failure. This process is responsible for the Win32 console window and process thread creation and deletion. For each instance, csrsrv.dll, basesrv.dll, and winsrv.dll are loaded (along with others).
This process is also responsible for making the Windows API available to other processes, mapping drive letters, and handling the Windows shutdown process. You can read more about this process here.
Note: Recall that csrss.exe and winlogon.exe are called from smss.exe at startup for Session 1.
What is normal?
Session 0 (PID 392)
d
Session 1 (PID 512)
Notice what is shown for the parent process for these two processes. Remember, these processes are spawned by smss.exe, which self-terminates itself.
Image Path: %SystemRoot%\System32\csrss.exeParent Process: Created by an instance of smss.exeNumber of Instances: Two or moreUser Account: Local SystemStart Time: Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional instances occur as new sessions are created, although only Sessions 0 and 1 are often created.
What is unusual?
Note: lsaiso.exe is a process associated with Credential Guard and KeyGuard. You will only see this process if Credential Guard is enabled.
What is normal?
Image Path: %SystemRoot%\System32\wininit.exeParent Process: Created by an instance of smss.exeNumber of Instances: OneUser Account: Local SystemStart Time: Within seconds of boot time
What is unusual?
Information regarding services is stored in the registry, HKLM\System\CurrentControlSet\Services.
This process also loads device drivers marked as auto-start into memory.
When a user logs into a machine successfully, this process is responsible for setting the value of the Last Known Good control set (Last Known Good Configuration), HKLM\System\Select\LastKnownGood, to that of the CurrentControlSet.
This process is the parent to several other key processes: svchost.exe, spoolsv.exe, msmpeng.exe, and dllhost.exe, to name a few. You can read more about this process here.
What is normal?
Image Path: %SystemRoot%\System32\services.exeParent Process: wininit.exeNumber of Instances: OneUser Account: Local SystemStart Time: Within seconds of boot time
What is unusual?
Per Wikipedia, "Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log."
It creates security tokens for SAM (Security Account Manager), AD (Active Directory), and NETLOGON. It uses authentication packages specified in HKLM\System\CurrentControlSet\Control\Lsa.
Lsass.exe is another process adversaries target. Common tools such as mimikatz are used to dump credentials, or adversaries mimic this process to hide in plain sight. Again, they do this by either naming their malware by this process name or simply misspelling the malware slightly.
Extra reading: How LSASS is maliciously used and additional features that Microsoft has put into place to prevent these attacks.
What is normal?
Image Path: %SystemRoot%\System32\lsass.exeParent Process: wininit.exeNumber of Instances: OneUser Account: Local SystemStart Time: Within seconds of boot time
What is unusual?
The Windows Logon, winlogon.exe, is responsible for handling the Secure Attention Sequence (SAS). It is the ALT+CTRL+DELETE key combination users press to enter their username & password.
This process is also responsible for loading the user profile. It loads the user's NTUSER.DAT into HKCU, and userinit.exe loads the user's shell. Read more about this process here.
It is also responsible for locking the screen and running the user's screensaver, among other functions. You can read more about this process here.
Remember from earlier sections, smss.exe launches this process along with a copy of csrss.exe within Session 1.
What is normal?
Image Path: %SystemRoot%\System32\winlogon.exeParent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.Number of Instances: One or moreUser Account: Local SystemStart Time: Within seconds of boot time for the first instance (for Session 1). Additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons.
What is unusual?
The last process we'll look at is Windows Explorer, explorer.exe. This process gives the user access to their folders and files. It also provides functionality for other features, such as the Start Menu and Taskbar.
As mentioned previously, the Winlogon process runs userinit.exe, which launches the value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell. Userinit.exe exits after spawning explorer.exe. Because of this, the parent process is non-existent.
There will be many child processes for explorer.exe.
What is normal?
Image Path: %SystemRoot%\explorer.exeParent Process: Created by userinit.exe and exitsNumber of Instances: One or more per interactively logged-in userUser Account: Logged-in user(s)Start Time: First instance when the first interactive user logon session begins.
What is unusual?
Note: The above image is the explorer.exe properties view from Process Explorer.
Last updated